1 / 66

Lecture 10 Mobile Security and M-commerce 第 10 讲 移动安全与移动商务

Lecture 10 Mobile Security and M-commerce 第 10 讲 移动安全与移动商务. §10.1 Basics of Security §10.2 Security in Cellular Networks §10.3 Security in WLAN §10.4 Security in Ad hoc Networks §10.5 Mobile Commerce. Confidentiality. Secure. Integrity. Availability. CIA – Requirements. Authentication.

viveka
Download Presentation

Lecture 10 Mobile Security and M-commerce 第 10 讲 移动安全与移动商务

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 10 Mobile Security and M-commerce第10讲 移动安全与移动商务 §10.1 Basics of Security §10.2 Security in Cellular Networks §10.3 Security in WLAN §10.4 Security in Ad hoc Networks §10.5 Mobile Commerce

  2. Confidentiality Secure Integrity Availability CIA – Requirements

  3. Authentication Secure Authority Accounting AAA -- Measurements

  4. Encryption • Symmetric-key cryptography • Block: AES, DES • Stream: RC4 • Hash: SHA, MD5 • Public-key cryptography • RSA, DH, etc.

  5. PKI • Infrastructure on Internet • digital certificates + public-key cryptography + certificate authorities

  6. Network Security

  7. Common Attacks and Countermeasures • Finding a way into the network • Firewalls • Exploiting software bugs, buffer overflows • Intrusion Detection Systems • Denial of Service • Ingress filtering, IDS • TCP hijacking • IPSec • Packet sniffing • Encryption (SSH, SSL, HTTPS)

  8. §10.2 Security in Cellular Networks • GSM provides • Subscriber identity confidentiality: • Protection against identifying which subscriber is using a given resource by listening to the signaling exchanges • Confidentiality for signaling and user data • Protection against the tracing of a user's location • Subscriber identity authentication: • Protection of the network against unauthorized use • Signaling information element confidentiality: • Non-disclosure of signaling data on the radio link • User data confidentiality: • Non-disclosure of user data on the radio link

  9. Authentication in GSM

  10. Authentication in GSM

  11. Authentication in GSM -- Summary • ‰Only the mobile authenticates itself to the network • Authentication is based on challenge-response: • Challenge-response vectors are transmitted unprotected in the signaling network • ‰The permanent identification of the mobile (IMSI) is just sent over the radio link when this is unavoidable: • This allows for partial location privacy • As the IMSI is sometimes sent in clear, it is nevertheless possible to learn about the location of some entities • An attacker may impersonate a base station and explicitly demand mobiles to send their IMSIs! • ‰ Basically, there is trust between all operators!

  12. General Packet Radio Service (GPRS) • Data transmission in GSM based on packet switching • Using free slots of the radio channels only if data ready

  13. GPRS Protocol Architecture

  14. GPRS Security • Security objectives: • Guard against unauthorised GPRS service usage (authentication) • Provide user identity confidentiality (temporary identification and ciphering) • Provide user data confidentiality (ciphering) • ‰ Realization of security services: • Authentication is basically identical to GSM authentication: • SGSN is the peer entity • Two separate temporary identities are used for GSM/GPRS • After successful authentication, ciphering is turned on • ‰ User identity confidentiality is similar to GSM: • Most of the time, only the Packet TMSI (P-TMSI) is send over the air • Optionally, P-TMSI “signatures” may be used between MS and SGSN to speed up re-authentication • User Data Confidentiality is realized between MS and SGSN: • Difference to GSM which just ciphered between MS and BTS • Ciphering is realized in the LLC protocol layer

  15. 3G Security

  16. UMTS Security Architecture (I) Network access security: protect against attacks on the radio interface (II) Network domain security: protect against attacks on the wireline network (III) User domain security: secure access to mobile stations (IV) Application domain security: secure message exchange for applications (V) Visibility and configurability of security: inform user of secure operation

  17. UMTS Network Access Security Services • User identity confidentiality : • User identity (IMSI) confidentiality • User location confidentiality • User untraceability • Entity authentication: • User authentication • Network authentication

  18. UMTS Network Access Security Services • Confidentiality: • Cipher algorithm agreement • Cipher key agreement • Confidentiality of user data • Confidentiality of signaling data • ‰ Data Integrity: • Integrity algorithm agreement • Integrity key agreement • Data integrity and origin authentication of signaling data

  19. UMTS Authentication Mechanism

  20. Generation of UMTS Authentication Vectors

  21. Generation of UMTS Authentication Vectors • The HE/AuC starts with generating a fresh sequence number SQN and an unpredictable challenge RAND • For each user the HE/AuC keeps track of a counter SQNHE • An authentication and key management field AMF is included in the authentication token of each authentication vector • Subsequently the following values are computed: • a message authentication code MAC = f1K(SQN || RAND || AMF) where f1 is a message authentication function • an expected response XRES = f2K(RAND) where f2 is a (possibly truncated) message authentication function • a cipher key CK = f3K(RAND) where f3 is a key generating function an integrity key IK = f4K(RAND) where f4 is a key generating function; • an anonymity key AK = f5K(RAND) where f5 is a key generating function • ‰ Finally the authentication token AUTN = SQN ⊕ AK || AMF || MAC is constructed.

  22. UMTS User Auth. Function in USIM

  23. UMTS User Auth. Function in USIM • Upon receipt of RAND and AUTN the USIM: • computes the anonymity key AK = f5K (RAND) • retrieves the sequence number SQN = (SQN ⊕ AK) ⊕ AK • computes XMAC = f1K (SQN || RAND || AMF) and • compares this with MAC which is included in AUTN. • ‰If they are different • The user sends user authentication reject to the VLR/SGSN • ‰If the MAC is correct • The USIM verifies that the received sequence number SQN is in the correct range: • If SQN is not in the correct range, the USIM sends synchronisation failure back to the VLR/SGSN • If SQN is in the correct range, the USIM computes: • the authentication response RES = f2K(RAND) • the cipher key CK = f3K(RAND) and the integrity key IK = f4K(RAND).

  24. Network Access Security in UMTS -- Summary • Similar to GSM security: • The home AUC generates challenge-response vectors • ‰The challenge-response vectors are transmitted unprotected via the signaling network to a visited network that needs to check the authenticity of a mobile • IMSI is still revealed to the visited network • Still assumes trust between all network operators • Unlike in GSM • The network also authenticates itself to the mobile‰ ‰

  25. §10.3 Security in WLAN • Most common variant is IEEE 802.11n, with data rate up to 150Mbps • Alternative version 802.11a/b/g • 802.11 security • Shared media – like a network hub • Requires data privacy - encryption • Authentication necessary • Can access network without physical presence in building • Once you connect, you are an “insider” on the network

  26. 802.11 Security Approaches • Closed network • SSID can be captured with passive monitoring • MAC filtering • MACs can be sniffed/spoofed • WEP • Can be cracked online/offline given enough traffic & time • WPA and/or EAP • More secure

  27. Wired Equivalent Privacy (WEP) • Part of 802.11 specification • To achieve equivalent security as wired link • Uses RC4 for encryption • Shared key – 40 /104 bits • A 24-bit initialization vector (IV)

  28. WEP Authentication • Open system authentication • Essentially it is a null authentication algorithm • Simple handshake – just two messages with no security benefit • Usually enhanced with Web-based authentication • E.g. SYSUWLAN

  29. Shared Key Authentication • Mobile node sends request to AP • AP sends a 128-byte challenge text • Mobile node encrypts the challenge text • using the shared secret key and an IV, • Mobile node sends the secret text to AP. • AP decrypts the text and • compare with the original challenge text – a match proves that mobile node knows the secret key. • AP returns a success/failure indication to mobile node and completes the authentication process

  30. WEP Data Encryption • To protect users from “casual eavesdropping” • Depends on an external key management service to distribute data enciphering/deciphering keys. • A block of plaintext is bitwise XORed with a pseudorandom key sequence of equal length. • The key sequence is generated by the WEP algorithm.

  31. WEP Data Encryption PRNG: pseudorandom number generator

  32. WEP Frame Body Expansion

  33. Problems with WEP • Key Generation • ICV Generation • Weak Key’s and Weak IV’s • WEP Attacks

  34. Key Generation Problems • The main problem of WEP is Key Generation. • Secret Key is too small, only 40 Bits. • Very susceptible to brute force attacks. • IV is too small. • Only 16 Million different possibilities for every packet. • Secret Keys are accessible to user, therefore not secret. • Key distribution is done manually.

  35. ICV Generation Problems • The ICV is generated from a cyclic redundancy check (CRC-32) • Only a simple arithmetic computation. Can be done easily by anyone. • Not cryptographically secure. • Easy for attacker to change packet and then change ICV to get response from AP.

  36. Weak Key’s and IV’s • Certain keys are more susceptible to showing the relationship between plaintext and ciphertext. • There are approx 9000 weak keys out of the 40 bit WEP secret key. • Weak IV will correspond to weak keys.

  37. Attacks • Replay • Statistical gathering of certain ciphertext that once sent to server will cause wanted reaction. • 802.11 LLC Encapsulation • Predictable headers to find ciphertext, plaintext combinations • Denial of Service Attacks • Flooding the 2.4Ghz frequency with noise.

  38. WPA/WPA2 • Wi-Fi Protected Access • Also referred to as the IEEE 802.11i • WPA available around 1999 • WPA2 became available around 2004 • Enhanced security to replace WEP • Improved data encryption • User authentication

  39. WPA/WPA2 • Authentication • 802.1x & EAP • allows auth. via RADIUS • also allows auth via PSK (pre-shared key) • Encryption: • WPA: TKIP • WPA2: CCMP

  40. WEP vs. WPA vs. WPA2

  41. WPA Modes • WPA-Enterprise • w/RADIUS for authC • WPA-PSK • For home or SOHO • “Pre-Shared Keys (PSK)” mode • User enters master key on each computer • Master key kicks off TKIP & key rotation • Mixed-mode • Operates in WEP-only if any non-WPA clients

  42. WPA Authentication • IEEE 802.1x • Authentication mechanism to devices of LAN or WLAN • with encapsulation of the Extensible Authentication Protocol (EAP)

  43. 802.1x Authentication

  44. §10.4 Security in Ad hoc Networks • Security “on the air” • Secure routing • PKI in Ad hoc

  45. “Over the Air” • Threats due to wireless communication • Attacks • Eavesdropping, jamming, spoofing, “message attacks” • Sleep deprivation torture • Counter measures • First attacks are not specific to ad hoc networks, well researched in military context:frequency hopping, spread spectrum

  46. Secure Routing • Great number of attacks possible by • Not participating at all to save battery or partition the network • Spamming the network with RREQ • Changing routing information in RREP messages • Constantly or never replying with RERR • …

  47. Securing Routing • Idea • Punish non collaborative/malicious nodes by non-forwarding their traffic • How to achieve? • Detection through “neighborhood watch” • Building a distributed system of reputation • Enable “re-socialization” through timeouts in the black list.

  48. Securing Routing Information • Idea • Share the routing information through a secure channel • How to achieve? • Requires key management and security mechanisms

  49. PKI in Ad hoc • Threshold Cryptography • Self-organized PKI

  50. Threshold Cryptography • Emulate the central authentication authority by distributing it on several nodes acting as servers • Private Key is divided into n shares s1, s2, ... sn

More Related