520 likes | 784 Views
Security in Wireless LANs. Presented by Raquel S. Whittlesey-Harris 6/25/02. Contents. Wireless LANs, An Overview Security Threats Basic Definitions HIPERLAN 802.11 Solutions References. Wireless LANs, An Overview. What is Wireless Local Area Network technology (WLAN)?
E N D
Security in Wireless LANs Presented by Raquel S. Whittlesey-Harris 6/25/02
Contents • Wireless LANs, An Overview • Security Threats • Basic Definitions • HIPERLAN • 802.11 • Solutions • References
Wireless LANs, An Overview • What is Wireless Local Area Network technology (WLAN)? • A wireless (w/o wired cables) data communication system that uses shared radio waves or infrared light to transmit and receive data • Provides freedom and flexibility to connect to a network or internet w/o being physically connected with a cable or modem
Wireless LANs, An Overview • Communication is via air, walls, ceilings and cement structures (throughout or between buildings) • Can alleviate network deployment costs • Solve some installation problems of older structures (asbestos) • Essentially an unlimited number of points for attacking • We will take a look at two standards • IEEE’s 802.11 • ETSI’s HIPERLAN
Wireless LANs, An Overview • Peer-to-Peer (Adhoc) • Wireless devices have no access point connection and each device communicates with each other directly
Wireless LANs, An Overview • Client/Server (infrastructure networking) • Extends an existing wired LAN to wireless devices by adding an access point (bridge and central controller)
Security • What is a secure environment? • No system is 100% secure • Generally applications, industries apply their own set of security tolerances • E.g., DHHA (Department of Health and Human Services) has created a set of rules called the HIPAA (Health Insurance Portability and Accountability Act) to regulate the use and discloser of protected health information
Security Threats • Denial-of-Service • The system or network becomes unavailable to legitimate users or services are interrupted or delayed (due to interference) • Equipment can be purchased from electronic stores easily and prices are reasonable • Protection is expensive and difficult • Only total solution is to have the wireless network inside of the faraday cage (applicable in rare cases) • Easy however to locate the transceiver used to generate the interference
Security Threats • Interception/Eavesdropping (confidentiality) • Identity of a user is intercepted for use later to masquerade as a legitimate user • Data stream is intercepted and decrypted for the purpose of disclosing private information • Radio band transmissions are readily intercepted • There is no means to detect if a transmission has been eavesdropped • Strong encryption is necessary to keep the contents of intercepted signals from being disclosed
Security Threats • The frequency band and transceiver power has a great effect on the range where the transmission can be heard • 2-5 MHz radio band and 1 W transceiver power • W/o electromagnetic shielding the network transmissions may be eavesdropped from outside of the building for which the network is operating • Manipulation • Data has been compromised • Inserted, deleted or otherwise modified • Can occur during transmission or to stored data • E.g., a virus
Security Threats • Masquerading • The act of an adversary posing as a legitimate user in order to gain access to a wireless network or system served by the network • Strong authentication is required to prevent such attacks • Repudiation • User denies performing an action on the network • Sending a particular message • Accessing the network • Again strong authentication of user’s is required, integrity assurance methods, and digital signatures
Security Threats • Transitive Trust • Intrusion by fooling the LAN to trust the mobile controlled by the intruder • Authentication again important • Infrastructure • These attacks are based on weaknesses in the system • Software, configuration, hardware failure, etc. • Protection almost impossible • Best to just test the system as thoroughly as possible
Basic Definitions • Confidentiality • Are you the only one who is viewing information specific to you or authorized users? • Integrity • Are you communicating with whom you think? • Is the data you are looking at correct or has it been tampered with? • Availability • Are the required services there when you need them? • Authentication • Are you who you say you are?
HIPERLAN • Developed by the European Telecommunications Standards Institute (ETSI) • Similar to 802.11 • HiperLAN/1 • Provides communications up to 20 Mbps in the 5-GHz range of the radio frequency spectrum • HiperLAN/2 • Provides communications up to 54 Mbps in the same FR band • Compatible with 3G WLAN systems (data, images, voice)
HIPERLAN • Defines the MAC sublayer, Channel Access Control (CAC) sublayer and the physical layer • Currently the defined physical layers use 5.15 – 5.30 GHz frequency band and supports • Up to 2,048 Kbps synchronous traffic • Up to 25 Mbps asynchronous traffic
HIPERLAN • Properties • Provides a service that is compatible with the ISO MAC service definition in ISO/IEC 15 802-1 • Compatible with the ISO MAC bridges specification ISO/IEC 10 038 for interconnection with other LANS • Ad-hoc or arranged topology possible • Supports mobility • May have coverage beyond the radio range limitation of a single node • Supports asynchronous and time-bounded communication by means of a Channel Access Mechanism (CAM) – priorities provide hierarchical independence of performance • Power Management
HIPERLAN • Defines an optional encryption-decryption scheme • All HM-entities (HiperLAN MAC) use a common set of shared keys (HIPERLAN key-set) • Each has a unique key identifier • Plain text is ciphered by XOR operation with random sequence generated by a confidential algorithm • Uses the secret key and an initialization vector sent in every MPDU (MAC Protocol Data Unit) as input
HIPERLAN • HiperLAN does not define any kind of authentication
802.11 • Defined by IEEE to cover the physical layers and MAC sublayers for WLANs • 3 physical layers • Frequency Hopping Spread Spectrum (FHSS) • Direct Sequence Spread Spectrum (DSSS or DS-CDMA) • Baseband Infrared • DSSS is mostly used since FHSS cannot support high speeds without violating FCC regulations • All physical layers offer2 Mbps data rate • Radio uses 2,400 – 2,483.5 MHz frequency band • MAC layer is common to all physical layers
802.11 • 802.11 implementation
802.11 • Properties • Supports Isochronous and Asynchronous • Supports priority • Association/Disassociation to an AP in a BSS or ESS • Re-Association or Mobility Management to transfer of association from one AP to another • Power Management (battery preservation) • Authentication to establish identity of terminals • Acknowledgement to ensure reliable wireless transmission • Timing synchronization to coordinate the terminals • Sequencing with duplication detection and recovery • Fragmentation/Re-assembly
802.11 • Defines two authentication schemes • Open System Authentication • All mobiles requesting access are accepted • Shared Key Authentication • Uses shared key cryptography to authenticate
802.11 • Optional Wired Equivalent Privacy (WEP) mechanism • Confidentiality and Integrity of traffic • Station-to-Station • No end-to-end security • Integrity Check (ICV) • Implements RC4 PRNG[8] algorithm • 40 bit secret key • 24 bit initialization vector (IV)
802.11 • RC4 • Input: IV, Random Key, Plaintext • IV and key is input to E keystream output • Keystream output is XORed with plain text ciphertext • Keystream output is also fed back to I (to cause a variation as a function of IV and key); must not use same keystream twice • IV sent as an unencrypted part of the ciphertext stream (integrity must be assured)
802.11 • RC4 • Supports variable length keys • Most commonly used are 40 bits for export controlled systems and 128 bits for domestic applications • 128 bit encryption (104 bits key) • Standard does not specify key management or distribution • Provide a globally shared array of 4 keys • Supports an additional array that associates a unique key with each user station
802.11 • RC4 • A CRC32 bit stream is appended to the plaintext message to provide integrity • Does not ensure cryptographic integrity
802.11 • Vulnerabilities and Weaknesses • Authentication • Authentication and an association (binding between the station and access point (AP)) is required before transmission • States • Unauthenticated & unassociated • Authenticated & unassociated • Authenticated and associated • Two authentication methods mentioned earlier • Open System Authentication (OSA) • Shared Key Authentication
802.11 • OSA • Default authentication method • Two management frames exchanged • Station station MAC address, identifier (authentication request) AP • AP status field (authentication success or failure) • Authenticated and unassociated • Two frames to establish association • Most vendors implement a wireless access control mechanism based on examining the station MAC address and blocking unwanted stations from associating • Requires that a list of authorized MAC addresses be loaded on each AP
802.11 • OSA Weaknesses • Loading and identifying MAC addresses is manually intensive • Snoopers can get valid MAC addresses and modify a station to use the valid address • Potential to create problems with 2 addresses using the network at the same time
802.11 • Shared Key Authentication • Uses the optional WEP algorithm along with a challenge response system to mutually authenticate a station and an AP • APs beacon (announce presence) • Station beacon (AP address) • Station management frame (seq #1) AP • AP authentication challenge (seq #2) Station • Psuedo-random number + shared key + random IV • Unencrypted
802.11 • SKA • Station challenge • Copies into a new frame which is encrypted (WEP) • Shared key, new IV • AP • AP frame • Decrypts, • Checks CRC32 • Checks challenge • Repeat to authenticate the AP
802.11 • Shared Key Authentication Weaknesses • Snoopers monitor the second (unencrypted challenge) and third (encrypted challenge) exchanges • Plaintext of the original frame including the random challenge • Encrypted frame containing the challenge • IV used to encrypt the challenge • XOR of plaintext, ciphertext keystream to encrypt the challenge response frame
802.11 • Snooper does not have shared secret key but with keystream can enter the network • Requests authorization to the network • AP sends new challenge (new IV) • Compute a valid CRC-32 checksum • Encrypts the challenge with the keystream acquired earlier • Appends IV used and sends the frame • Further penetration cannot be achieved without the proper secret key
802.11 • RC4 Encryption • WEP does not implement a secure version of RC4 and violates several other cryptographic design and implementation principles • Suggestions have been made to not only increase the key sizes and strengthen key management, • Replace encryption algorithm • Addition of a session key derivation algorithm • Lengthening the IV to 128 bits • Adding a sequence number in dynamic keyed implementations • Addition of 128 bit cryptographic integrity check • Additional encryption of other payload elements
802.11 • Interception • 802.11 specifies three physical layers, • Infrared (IR) • Frequency Hopping Spread Spectrum (FHSS) • Direct Sequence Spread Spectrum (DSSS) • Broadcasts 900 MHz, 2.4 GHz, 5 GHz • Commercial wireless devices is readily capable of receiving all signals • It is also fairly simple to modify the device drivers or flash memory to monitor all traffic
802.11 • Keystream Reuse • Standard recommends but does not require changing the IV for every frame transmitted • No guidance is provided for selecting or initializing the IV • Two packets using the same IV and key allows a snooper to discover plaintext • The XOR of two ciphertexts the XOR of two plaintexts • Knowing one plaintext is all it takes • Berkeley indicates that some PCMCIA cards reset the IV to zero when initialized and then increment the IV by one for each packet transmitted
802.11 • Standard specifies the size of the IV field to be 3 octets (24 bits) • IV will rollover mode 24 • Reused after 224 packets • Since MAC frames range in size from 34 bytes to 2346 bytes • Min rollover occurs at 224 x 34 bytes (570 MB) • Max rollover occurs at 224 x 2346 bytes (40 GB) • Berkeley indicates a busy AP will rollover in about a half of a day operating at half capacity • Reading the IV is trivial since it is transmitted unencrypted
802.11 • Integrity Assurance • The ICV (Integrity Check Value) • Plaintext is concatenated with the ICV to form the plaintext to be encrypted • CRC32 – linear function • Possible to change 1 or more bits in the original plaintext and predict which bits in the CRC32 checksum to modify • Checksum is performed over the entire MAC packet • Includes higher level protocol routing address and port fields (can redirect message when changing IP address) • 32 bits (4 octets) in MAC frame
Solutions • IEEE is working on upgrade of security standard • Vendors can implement key management (external to the standard) • Limits choices (interoperability) • VPN (Virtual Private Network) • Provides a secure and dedicated channel over an un-trusted network • Provides authentication and full encryption
Solutions • A solution • Requirement – seamless integration into existing wired networks • link layer security is selected over end-to-end (machine-to-machine) • Requirement – two-way authentication • Requirement – flexibility to utilize the future advances in cryptography
Solutions • Authentication – public key cryptography • Certificates contain • {serial number, validity period, machine name, machine public key, CA name} • Mobile {Cert_Mobile, CH1, Kist of SKCSs} Base • CH1 is a random generated number • SKCSs is transmitted to negotiate algorithm used • Algorithm and key size are transmitted in list • Base verify signature on Cert_Mobile • Proves the public key in the certificate belongs to a certified mobile host • Not sure if the certificate belongs to the mobile • If certificate is invalid • Reject connection
Solutions • Base {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, SH1, List of SKCSs}} Mobile • Save RN1 for later use • Chosen SKCS is most secure from those supported by both • Mobile validates Cert_Base, verify signature of message (using public key of Base) • If CH1 and List of SKCS match those sent by mobile to base • Authenticate base • Mobile {E(Pub_Base, RN2), Sig{Priv_Mobile,{E(Pub_Base, RN2), E(Pub_Mobile, RN1)}}} Base • RN2 is randomly generated by mobile • RN1 XOR RN2 is used as a session key for all communications remaining
Solutions • Base verifies the signature of the message using Pub_Mobile • Authenticate mobile if valid • Decrypt E(Pub_Base, RN2) with private key • Form session key RN1 XOR RN2 • Session key formed in two parts sent in different messages for better protection • Compromising the private key does not compromise the traffic • Need to know both RN1 and RN2 • These transactions are to occur at the MAC layer prior to network access
Solutions • Confidentiality can be achieved using an existing symmetric cryptography algorithm • IDEA – International Data Encryption Algorithm • Uses Block Cipher with a 128-bit key • DES – Data Encryption Standard • Private key encryption (72 quadrillion possible keys) • Restricted for exportation by US Government • Shared key is agreed using mechanism above • Integrity can be achieved using a fingerprint generated by a one-way hash function • MD5 • SHA
Solutions • Key Change Protocol • Initialized by base or mobile • E.g., • Base Signed(Priv_Base,{E(Pub_Mobile, New_RN1), E(Pub_Mobile,RN1) }) Mobile • Mobile Signed(Priv_Mobile,{E(Pub_Base, New_RN2), E(Pub_Base, RN2) }) Base • New RN1 XOR RN2 value is used
Solutions • Key Management • One possible solution is to use the smart card technology • CA creates the private and public keys inside the smart card • Private key never readable from card • CA signs the public key with his private key and stores the public key to the smart card • Smart card is given to the end user to use in any wireless LAN mobile