Security in Current Commercial Wireless Networks: A Survey

Transcription

1 Security in Current Commercial Wireless Networks: A Survey Fabian Andre Perez School of Electrical and Computer Engineering Purdue University West Lafayette, IN fperez@purdue.edu 1 Abstract The goal of this survey is to give an overview of the current practices in the security mechanisms used in the current commercial Wireless Networks. The study will try to cover all the scope of Wireless Networks from the well known standards for WLAN to the 3G standards for Wireless Cellular Technologies. This article is not intended to cover the details of each technology but will try to give a high level view of the solutions used to secure each technology. I. INTRODUCTION Everyday, technology is innovating the way people interact among each other. In the last years, Wireless Networks -in all its flavors- have revolutionized the way people communicate, and for the first time it gives the customers the feeling of being virtually connected (by voice, messaging, video applications over cell phones, , VoIP, messaging over internet). It is this closeness or convenience that has made current Wireless Networks so successfull. The more we get used to a communication tool, the more we trust it. For good or for bad, this is the reality today, and current technology aims to be even more intimate in the way to interact with people. However, in the last few years some concern has been raised about the security strength of the commercial Wireless Networks; this is precisely the motivation of this document. To offer a clear presentation, easy to understand, of how each major Wireless Technology is using security standards and practices to offer the security level customers deserve and demand. This study will analyze various technologies, which are listed in II. For each technology, first a simple but clear introduction is offered in order to make the following security analysis easier to present. Then a section detailing how each technology is using secure mechanisms in order to enforce their security policy is presented. Even though an introduction section is offered for each technology, some background knowledge is assumed in wired and wireless networks and Information Security. A secondary but important objective of this study was the compile a glossary about the countless acronyms used in the field.

2 2 II. WIRELESS STANDARDS AND TECHNOLOGIES As beforementioned, this document focuses the attention into various currently widely used Wireless Networks. The technologies reviewed are: 1) IEEE ) IEEE ) IEEE Bluetooth 4) IEEE Zigbee 5) HomeRF 6) IrDA 7) UMTS 8) CDMA2000 Following we treat each technology separately.

3 3 III The IEEE standards are a set of specifications to provide the same functionality as the IEEE CSMA/CD (Ethernet) standard. That is, to implement LAN s but with the air as a transmission medium instead of cables. The resulting communication networks are known as WLAN s (Wireless LAN s). IEEE is a member of the family IEEE 802 which handles specifications for Local Areas Networks (LAN s). In this study we will describe the specifications related with security. A bigger discussion of the several members of the IEEE 802 family can be found in [1]. The standards have evolved since their first appearance in 1989 [1], [2]. The protocol covers specification for Layer 1 (physical) and Layer 2 (data link) of the OSI model. Access Points (APs) use also layer 3 (IP Layer), but it is for management purposes only. However, current APs could be configured as a mix of APs, switches, routers, and even firewalls. A light overview of some of the standards that form the IEEE family that are more related to this study are: This is the original standard, it specifies transmissions speed of 2Mbps or 1Mbps. It works in the 2.4GHz ISM band using either FHSS or DSSS with PSK modulation a This standard came after b; therefore, trying to fix the problems encountered with and b. It operates in the 5GHz band (U-NII). Therefore it can coexist with b without causing interference. It has 12 non-overlapping channels. The encoding scheme is OFDM and the data speeds depend in the modulation technique: 54 & 48 Mbps (64-QAM), 36 & 24 Mbps (16- QAM), 18 & 12 Mbps (QPSK), and 9 & 6 Mbps (BPSK). The coverage range is approximately 60 feet [3]. The advantages of a are the speed (54Mbps) compared to b (11 Mbps), also the likelihood of interference in the 5 GHz is less than in the 2.4 GHz where other applications compete for the same frequency space (cordless phones, microwaves, baby monitors, Bluetooth). A disadvantage is the reduced range of coverage compared to b, which results in more APs to cover the same area. Other disadvantage is that there is no backward compatibility with b, so a equipment can not communicate directly with b equipment. Also, because it is not so popular, equipment is more costly; therefore, deployment costs are higher. Finally, the 5 GHz frequency band is allocated in USA; however, in other countries this band is already used for other purposes b This is the most successful technology among the family. The standard operates in the 2.4GHz band (ISM). It has 11 channels but only three (1, 6, 11) are non-overlapping. It uses DSSS as Encoding Scheme, and the data speed with its respective modulation are: 11 & 5.5 Mbps (CCK), 2 Mbps (DQPSK), 1 Mbps (DBPSK). Its range is approximately 300 feet [3]. The advantages of b are: The 2.4 GHz frequency band is available internationally. It is the most popular standard, which means that hot spots implemented in public areas (cafes, airports, libraries, book stores) use this standard to attract most people. For the same reason, the equipment is relatively affordable. The principal disadvantage is that it uses the 2.4 GHz ISM band, and the frequency band is polluted with other applications. This, added with the fact that b has only 3 non-overlapping channels, makes some environments too noisy, and to deploy a functional b network is a real challenge. As a consequence the throughput is usually much lower than the expected 11 Mbps. Also, the low tipical throughput speed makes it impractical for some bandwidth-hungry applications like multimedia or real time applications g This technology evolved from the successful b. The standard operates in the 2.4GHz

4 4 band (ISM). It has 11 channels but still only three (1, 6, 11) are non-overlapping. It uses OFDM as Encoding Scheme, and the data speed with its respective modulation are: 54, 48, 36, 18, 12 & 6 Mbps (OFDM) 11 & 5.5 Mbps (CCK), 2 Mbps (DQPSK), 1 Mbps (DBPSK). Its range is approximately 300 feet [3]. The advantages is that g standard defines the way wireless LAN gear communicates at up to 54 megabits per second while remaining backward-compatible with 11-Mbps b. This important breakthrough enables streaming media, video downloads, and real time applications. Also, g enables networks to upgrade hardware while remaining backward compatibility with b. The principal disadvantage of g is the same one that b has. The frequency band has to be shared with a lot more applications. Another technical detail is that to be able to achieve 54 Mbps throughput, g gear must be present in the client and in the AP s. If one of them is b only, then all the network will reduce the speed to work at b specifications. Within IEEE , there are several working groups devoted to solving several wireless issues. Some other groups that should be considered are: d This group works in the specifications of general Internationalization issues e This group works in the specifications for QoS support for a, b, g. This is necessary for delay-sensitive applications such as Voice over Wireless IP f This group works in IAPP: Inter-Access Point Protocol, which handles the issues that exists in inter-ap s communication to properly roam mobile users n A standard reportedly in the works that would boost a, b, and g speeds up to 108 Mbps and higher n is not yet official. IEEE i is strictly related with security (the main topic of this study), so it will be widely discussed in the next section. Further information about these working groups can be found at [4]. Security Analysis of IEEE The first approach of security in was to offer a Wired Equivalent Privacy (WEP). However, today we know WEP do not offer the security level expected. Other solutions have being presented since the failure of WEP. Here we will review each one of them highlighting the most interesting points of each one. A. Wired Equivalent Privacy WEP was the first attempt to offer security in the IEEE standards. However, in the last few years the research community has proven that WEP design flaws and specially the poor implementations by vendors caused the failure of WEP to provide the security level required in critical communications. Several successful attacks have being published and are widely available to the community. First we will present how WEP works, and then analyze its design and the flaws that were present in the protocol since its design. Even though some of the problems with WEP are in the implementation by vendors, originally WEP was not envisioned as an ultimate solution for security, so WEP design was never cryptographically rigorous. The flaws in design of the protocol are the ultimate problem because they are really challenging to correct. The upper part of Figure 1 shows the WEP engine. The first step is to calculate a 32-bit Cyclic

5 5 Fig. 1. WEP Engine & Frame Extensions Redundancy Check (CRC) checksum operation of the plaintext in order to offer integrity of the plaintext. This is the first flaw of the protocol because CRC is not a cryptographic function to offer integrity like Hashing functions (SHA, MD5), CRC is an error detection function widely used in data communications. Consequently, some attacks use this flaw and successfully modify the packet and the CRC so the protocol still validate the packet as not modified. The CRC in WEP is known as Integrity Check Value (ICV); this ICV is appended to the plaintext and XORed with a keystream to generate the ciphertext. From the other side, the Secret Shared Key is appended to the Initialization Vector (IV) and passed to the RC4 Pseudo-Random Number Generator (PRNG) to generate a Keystream equal in length to the Plaintext-ICV combination. The Keystream is a sequence of 1 s and 0 s derived from the IV-Secret Key. The last step is to preppend the IV header in clear to the ciphertext and this will be the frame to transmit as shown in the bottom part of Figure 1. For decryption WEP follows the same process but in reverse. First, the IV is extracted from the MAC Data Unit and prepended to the secret key, this is passed to the RC4 PRNG to obtain the keystream. The keystream is XORed with the encrypted frame to obtain the plaintext plus its ICV, a new CRC checksum of the plaintext is generated and compared with the value in the ICV to determine if the packet was modified in transit. If the values do not match, then the packet is assumed to be tampered and discarded. One of the problems with WEP is that do not specify how to generate and implement IV s. The IV are 24-bit sequences that are prepended to the secret shared key, and these together are the seed of the RC4 PRNG. One of the main requirements of RC4 in order to keep the information secure is that the seed value has never, ever to be repeated. However, the secret shared key normally are fixed and in a busy network, the 24-bit IV space will be exhausted in a matter of hours; consequently, IV s will be inevitably repeated. This repetition of seed values are known as IV collisions. Reuse of IV is enforced in the protocol. An attacker, who is logging data from the target wireless network can detect such IV collisions, and a number of attacks are possible when IV collisions occur [3]. One issue that has to be commented here is that vendors normally market WEP with the secret key as 64 or 128 bits long. However, 24 of those are reserved for the IV, so effectively the length of the keys are 40 or 104 bits long respectively. Another issue with WEP is Key Management. WEP is a symmetric key encryption mechanism; con-

6 6 sequently, the same key must be shared between any sender and any receiver does not address how to distribute the keys, and normally this is done manually by the system administrator. In a small network this is not complicated, but in a medium or big network this mechanism is simply not applicable. Moreover, if one of the machines is compromised, then the key must be changed in all the network because all the network shares the same key. Because reuse of IV is accepted, Message Injection is also a possibility. If the attacker knows the plaintext and ciphertext of a packet, then the keystream can be derived (Remember P laintext Keystream = Ciphertext). Once the keystream is derived, any plaintext can be encrypted using the derived keystream and the resulting ciphertext will be accepted by the protocol because reuse of IV is allowed by the protocol. As an example, the authentication process using WEP is as follows: 1) Client send authentication request to AP. 2) AP send a 128 bit challenge text to client. 3) Client encrypts challenge text with Shared Key and sends back to the AP the encrypted challenge. 4) AP receives encrypted challenge and compare it with one generated locally. 5) AP responds with success or failure message. Following this process, a potential attacker will have the plaintext and its associated ciphertext, and using the Message Injection technique the keystream can be derived. Using the same keystream, the attacker can request authentication to the AP, and gets authenticated even without knowledge of the WEP key. This attack will work because the AP will accept reused keystreams. Another issue comes from some poor vendor implementations. Security researcher Tim Newsham discovered that key generators from some vendors are flawed. A brute force attack on a 40-bit key using a weak key generator could take less than a minute to crack [3]. The PRNG for the 128 bit WEP was not flawed. Finally, the ultimate hit against WEP came from a paper titled Weaknesses in the Key Scheduling Algorithm of RC4 from Scott Fluhrer, Itsik Mantin and Adi Shamir [5]. In this paper several weaknesses in the key scheduling algorithm of RC4 are presented, and their cryptanalytic significance is described. A large number of weak keys are identified, and if enough information is collected that use these keys, then the secret key can be determined with little work. The most important aspect of this passive ciphertext only attack is that it can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size. Implementing an attack using the weaknesses described in the paper is known as FMS attack. Programs widely available like AirSnort, WEPCrack, and dweputils are based in the FMS attack. The problem with the FMS attack is that it requires a considerable amount of traffic from the target network (5-10 million encrypted packets [6]). In a busy network this task can take hours, but in a low traffic network this can take days or weeks. Once enough data is collected, the secret key can be recovered with little computation. Because the FMS attacks have been successful, vendors have made available firmware updates for their network devices in order to avoid the usage of weak keys. As a consequence, in a network well maintained and with long keys, to break WEP is not a trivial task, but not impossible either. As an example, Neil Ferguson (the designer of Michael the message integrity code algorithm used in TKIP) has been quoted saying that using a wireless network for mission-critical data is plain stupid. Using it for life-critical data is criminally negligent [3].

7 7 B i Because of the many issues WEP presented, the group was under pressure to develop a reliable solution. In October 2002, Wi-Fi Alliance presented Wi-Fi Protected Areas (WPA - Originally called WEP2). WPA is a subset of the i standard, and was released before i because all the parts of the standard were not ready. Integrity Handling (TKIP), and Key Management (802.1X) were ready, while the symmetric cipher (AES), and secure de-authentication/dis-association were not. On June , i was approved by the IEEE Standards Board. The Wi-Fi Alliance soon announced the creation of WPA2 in order to cover the new specifications dictated by i. Because the Wi-Fi Alliance is vendor driven and has focus in implementation, we are going to describe what the i standard says, and not analyze WPA, or WPA2. IEEE i defines a Robust Security Network Association (RSNA). In a RSNA, provides function to protect data frames, IEEE 802.1X provides authentication and a Controlled Port, and and 802.1x collaborate to provide key management. The security enhancements that i describes over the original standard are the requirements and procedures to provide confidentiality of the user information being transfered in the Wireless Medium and authentication of conformant devices i, mainly defines a number of security features in addition to WEP and IEEE authentication [7]. These features include the following: Enhanced authentication mechanisms for Stations. Key management algorithms. Cryptographic key establishment. An enhanced data encapsulation mechanism, called CTR [counter mode] with CBC-MAC [cipherblock chaining (CBC) with message authentication code (MAC)] Protocol (CCMP). Optionally, Temporal Key Integrity Protocol (TKIP) i relies on several components external to the IEEE architecture. The first component is IEEE 802.1X, and a second component is the Authentication Server (AS). In a RSNA, the 802.1X Port determines when data can flow through the connection. An 802.1X Port consist of one Controlled Port and one Uncontrolled Port. The Controlled Port is blocked to pass information until it is cleared by an 802.1X authentication procedure that is conducted through the Uncontrolled Port. Normally, all traffic should flow through the Controlled Port, except the authentication process. Two security services are provided by : Authentication and Confidentiality. For authentication, an RSNA uses 802.1X authentication service with TKIP and CCMP. For Confidentiality and Data Integrity, RSN key management with TKIP and CCMP are used. In an ad-hoc network (IBSS - Independent Basic Service Set), each station is in charge of enforcing the security policy. In a Infrastructure Network (ESS - Extended Service Set), the AP s are in charge of enforcing the security policy. Let s review each component of the standard. 1) Authentication: defines three authentication methods: Open System, Shared Key, and RSNA. Open System Authentication admits any station to the Distribution System (DS:A system used to interconnect a set of basic service sets (BSSs) and integrated LANs to create an extended service set (ESS)). Shared Key Authentication relies in WEP to demonstrate knowledge of the WEP encryption key. An RSNA support authentication based on 802.1X, or preshared keys (PSK) X uses Extensible Authentication Protocol (EAP) to authenticate stations and the Authentication Server (AS). 2) Confidentiality: i accepts three different cryptographic algorithms to protect traffic information: WEP, TKIP, and CCMP. WEP and TKIP use RC4 as the encryption engine. CCMP is based on the Advanced Encryption Standard (AES). The default confidentiality state of data units in is in the clear; if confidentiality is not used, then all information should be sent unprotected.

8 8 3) Key Management: The enhanced authentication, confidentiality, and replay protection mechanisms demand fresh cryptographic keys. The keys are distributed using 4-Way Handshake and Group Key Handshake protocols. 4) Data Origin authenticity: Data Origin Authenticity mechanisms means that a station can verify which station sent the MAC Protocol Data Unit (MPDU). This is to prevent possible masquerading attacks. This service is provided using CCMP or TKIP. Also, Replay Attacks are avoided using Replay detection mechanisms. This service is provided by CCMP or TKIP. 5) 802.1X & EAP: 802.1X is a protocol that enables port-based authentication. All stations have associated ports, and all traffic is blocked in the station port until the client gets authenticated by an Authentication Server (AS). Extensible Authentication Protocol (EAP) was created originally as an extension to the Point-to-Point Protocol used in dial-up connections. It defines a generalized framework for multiple authentications, so a particular application could use the EAP framework and authenticate its users using any authentication method. The open standard defined by EAP could also accept authentication mechanisms that have not being invented yet X is just a protocol that implements EAP over wired or wireless networks. It has three basic components: Supplicant: The client or stations that require access to the network. Authenticator: An entity that acts as an intermediary between the Supplicant and the Server (Usually the AP). It is in charge of blocking/allowing traffic flow and facilitating the authentication process. Authentication Server (AS): It is the machine that holds authentication information of the clients and processes the acceptance/rejection of a station in the authentication process. As mentioned before, depends on 802.1X to control the flow of MAC Protocol Data Units (MPDU) between the DS and the stations by using the 802.1X Controlled/Uncontrolled Ports X authentication frames are passed through the Uncontrolled port of 802.1X. The Controlled Port is blocked for traffic until the 802.1X authentication procedure completes successfully between the Supplicant and the AS through the uncontrolled port. It is the responsibility of the Supplicant and Authenticator to implement port blocking. There exists a unique pair of ports for each association between stations uses 802.1X and the 4-Way Handshake and Group Key Handshake in order to establish and exchange cryptographic keys [7]. The cryptographic keys are generated only after a successful authentication has been granted. The 802.1X procedure is depicted in Fig. 2. The 4-Way Handshake is initiated by the Authenticator in order to perform the following tasks: Confirm that a live pair still uses a Pairwise Master Key (PMK). Confirm the PMK is current. Generate a fresh Pairwise Transient Key (PTK) from the current PMK. Set up the pairwise encryption and integrity keys into Feed Group Temporal Key (GTK) information from Authenticator to stations and AP. Confirm the cipher suite selection. When the 4-Way Handshake is successfully completed, the Supplicant and Authenticator have authenticated themselves. Then the Controlled Port is open and the flow of normal information is granted. The GTK is used by the Authenticator to send broadcast/multicast messages to the stations and receive unicast.

9 9 Fig. 2. IEEE 802.1X EAP authentication [7] When an 802.1X infrastructure is not implemented, the procedures are identical but the PSK is the PMK (See III-B.6). 6) Pre-Shared Key: In small Wireless Networks like SOHO s, the deployment of an 802.1x infrastructure for key distribution is overkilling and not practical. Therefore, i introduces a special mode of key distribution called Pre-Shared Key (PSK). In this mode, a shared secret key called Master Key must be entered manually in all AP, and all clients. A 256-bit PSK may be configured in the clients cards and AP, or a pass-phrase may be configured. The method used to configure the PSK is outside the i standard, but one way that can be used is via user interaction. If a pass-phrase is configured, then a 256-bit key is derived and used as the PSK [7]. 7) Security Methods: i defines Pre-RSNA and RSNA security methods. Pre-RSNA methods are implemented by the following algorithms: WEP entity authentication RSNA security is provided by the following algorithms: TKIP CCMP RSNA establishment and termination procedures, including 802.1X authentication. Key management procedures RSNA equipment is the hardware capable of establish RSNA associations. Pre-RSNA equipment conforms the equipment ready for WEP, and WPA only. These equipment need hardware upgrade in order to establish RSNA associations. WEP was already introduced in section III-A. 8) Entity Authentication: In an ESS, a station and an AP must complete an authentication before an association. This exchange is optional in an IBSS i defines two authentication methods.

10 10 Open System Authentication is the default authentication algorithm for Pre-RSNA equipment. It uses a two-message authentication transaction sequence. The first message states identity and request authentication. The second message confirms or denies authentication. Shared Key Authentication authenticates stations that share a common known key. It is used with WEP, and i states that this mechanism is deprecated and should not be implemented, except for backward compability with Pre-RSNA hardware. 9) Temporal Key Integrity Protocol (TKIP): i states that implementation of TKIP is optional. TKIP has three main elements: Per-Packet key mixing function. Message Integrity Code (MIC) function known as Michael. Enhancement in sequencing rules for IV. TKIP offered a fix for the main problems related with WEP. Its main purpose is to be applied to existing hardware via software upgrades, and offers backward compatibility with major hardware existing. Therefore, it could be deployed right away. Fig. 3. TKIP engine [7] Figure 3 shows the block diagram of the TKIP engine. First, the client obtains a pair of keys: a 128-bit encryption key called Temporal Key (TK), and a 64-bit data integrity key called Message Integrity Code (MIC) key. These keys are obtained securely by an 802.1x Key Distribution scheme (see III-B.5), or by a manual configuration (See III-B.6). As the diagram shows, the TK, the transmitter s MAC address (TA) with a subset of the TSC (TKIP Sequence Counter) are fed to a cryptographic Phase 1 Key Mixing Function to obtain a intermediate key TTAK (TKIP-mixed transmit address and key). This is fed to a cryptographic Phase 2 Key Mixing function that also takes the second part of the TSC and the TK to produce the WEP Seed. This is passed as the IV-Secret key to the RC4 PRNG like done in normal WEP. From the other side, the MIC Key, the sender s MAC address (SA), the destination MAC address (DA), a priority, and the plaintext message are used to calculate a keyed cryptographic message integrity code (MIC). The MIC is appended to the plaintext before any fragmentation and then passed to the WEP engine. As explained before in the WEP section, the WEP engine takes the IV-Secret Key value as an RC4 seed to generate a keystream that is then XORed with the plaintext to generate the ciphertext.

11 11 Let s clarify some points. Michael uses a cryptographically sound one-way hash function designed by Neil Ferguson to offer integrity [3]. It uses the MIC key, the source address, and destination address; therefore, MAC integrity can be verified. The Michael output is 8 octet long and appended to the data frame. The IV space in TKIP and i has being incremented from 24 to 48 bits. With such IV space, the probability of collisions is negligible. Also, the Per-packet key is no longer stationary as in WEP (shared key), it is mixed in two phases with a secure key (TK), a Sequence Counter (TSC), and the transmitter address (TA) by a Feistel cipher designed by Doug Whiting and Ron Rivest [3]. This strategy eliminates per-packet key correlation and replay attacks; as a consequence, the FMS attacks are also eliminated. Some remote attacks are still conceivable because of the underlying use of the WEP engine; however, their impact is greatly reduced by all the countermeasures designed [7]. The changes in the Data Unit are shown in Fig 4. Fig. 4. Expanded TKIP Data Unit [7] 10) CCMP: i states that implementation of CCMP is mandatory for devices claiming to be RSNA compliant. CCMP stands for CTR (Counter mode) with CBC-MAC (Cipher-Block Chaining with Message Authentication Code) Protocol. It provides authentication, confidentiality, integrity, and replay protection. All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size. CCM is a generic mode that can be used with any block encryption algorithm. Some of the requirements of CCM are: CCM requires a fresh temporal key for every session. CCM requires a unique nonce value for each frame to be protected. It uses a 48-bit Packet Number (PN) for this purpose. For CCM reuse of PN with same temporal key voids all security. CCMP expands the MPDU by 16 octet as Fig 5 shows. 8 octet are for the CCMP header, and 8 octets for the MIC. The 48-bit PN is distributed in 6 octets. The ExtIV bit is set to 1 for CCMP. The encapsulation block diagram of CCMP is shown in Fig 6. Here the PN is incremented and used to construct the nonce and the CCMP header, so the PN never repeats with the same TK. The incremented PN with the Address 2 from the MPDU and the priority (reserved) are used to construct the nonce. Fields that need to be authenticated are incorporated in the Additional Authentication Data (AAD) for CCM. Information like Frame Control Fields, Addresses, Sequence Counter, and Quality of Service Control Field are present in the AAD. The AAD, nonce and TK, along with the MPDU, are used in the CCM encryption to generate the Encrypted Data and the MIC. Finally, the Expanded CCMP MPDU is assembled as shown

12 12 Fig. 5. Expanded CCMP MPDU [7] Fig. 6. CCMP encapsulation Block Diagram [7] in Fig. 5. In the decryption process, the CCMP recipient checks the authentication and integrity of the frame body and the ADD also decrypts the frame body and only if the MIC check is successful, the plaintext is returned. 11) RSNA Security Associations Management: Security Associations are used to guarantee secure communications, and these associations provide information about the cipher solutions to be used. A Security Association is the set of policies, keys, and parameters used to protect information. The information in the security association must be stored in each entity that will use the association, and has to be consistent with all parties. There are four security associations supported by RSNA: PMKSA: When a successful 802.1X, PSK, or PMK has been established. PTKSA: When a successful 4-Way Handshake has been established. GTKSA: When a successful Group Key Handshake, or 4-Way Handshake has been established. STAKeySA: When a successful STAKey has been established (Ad-Hoc Infrastructure). 12) Key Management procedures: RSNA defines two hierarchies of keys: Pairwise key hierarchy. this is to protect unicast traffic.

13 13 GTK to protect multicast or broadcast traffic. Pairwise key support with TKIP or CCMP allows the receiving station to identify and authenticate the MAC address of the sender station. Therefore, any MAC address spoofing will be detected. This feature is not supported with GTK. In an ESS, the 802.1X Authenticator MAC address (AA) and the AP BSSID are the same, and the Supplicant MAC address (SPA) and the station MAC address are the same Conclusions In this section we have reviewed the standard. First, a short introduction to the several parts that form the standard were described; then, the principal points of the new amendment i were presented. It should be clear by now that the first approach of security WEP was not successful in delivering the security level expected. As a second and temporal solution, the Wi-Fi Alliance introduced WPA with the parts of i that were ready by Mainly, an adaptation of TKIP and 802.1X are used in WPA to solve the shortcomings of WEP. By the time of writing of this document the main achievement of WPA was to successfully solve the aforementioned problems, and still run in legacy hardware that were designed only to support WEP (Software and Firmware upgrades are necessary) i is a more consciously designed security protocol with Authentication, Identity and Confidentiality in mind since the design time. It includes per-port authentication (802.1X) and can be implemented to support highly sophisticated authentication schemes like per-user authentication using PKI (EAP). It uses a strong encryption algorithm (AES-CCMP), and supports per-mpdu authentication, integrity, and replay control; therefore, offering a strong solution for security in Wireless Networks. It also contains TKIP for cases where RSNA hardware has to coexist with Pre-RSNA hardware i is a fairly new security protocol and still has to hold the test of time; however, the design principles applied and the amount of reviews that it has gone through give some comfort to Network Engineers and Implementators.

14 14 IV IEEE also know as WiMax, which stands for Worldwide Interoperability for Microwave Access, is designed to provide metro area Broadband Wireless Access (BWA). The original idea behind WiMax was to deliver wireless Internet access to a fixed location to compete with technologies like cable modem and Digital Subscriber Line (DSL). Before getting into technical details let s review the potential markets that are the driving forces of the technology. Fixed location Private Line Services: The initial application was to provide traditional dedicatedlines via the air at transmission rates up to 100 Mbps using line-of-sight outdoor antennas. Broadband Wireless Access/Wireless DSL: To be direct competition with cable modem and DSL technologies, and to offer access to remote areas where other technologies were not viable. It would offer rates of 512 Kbps and 1 Mbps using low-cost, indoor, user installable premises that will not require line-of-sight with Base Station. Mobile Users: Using low frequencies (<6 GHz) e is developing support for mobile users with speeds up to 75 MPH and will be compatible with the fixed location systems. There are several substandards that form the IEEE family, here we will review the most relevant for our discussion: The original IEEE standard approved in December 2001 developed a point-tomultipoint broadband wireless access standard for systems in the frequency ranges GHz and sub 11 GHz. The standard covers both the Media Access Control (MAC) and the physical (PHY) layers. This standard requires line of sight between Base Station (BS) and a Subscriber Station (SS). It defines bit rates from 32 to 134 Mbps using modulation/coding schemes like QPSK, 16-QAM and 64-QAM. There are no mobility considerations in this standard. It has channel bandwidth of 20, 25, and 28 MHz a The IEEE a-2003 Ammendment 2: Medium Access Control Modifications and Additional Physical Layer Specifications for 2-11 GHz, approved in 2003, enables 2-11 GHz operation. It introduces a mesh mode to let nodes forward traffic to adjacent nodes. This standard supports non line-of-sight (NLOS) between BS and SS. It defines bit rates from less than 70 up to 100 Mbps using 256 sub-carrier OFDM with QPSK, 16-QAM, 64-QAM, and 256 QAM like modulation/coding scheme. There are no mobility considerations in this standard. It has a channel bandwidth selectable from 1.25 to 20 MHz eThe IEEE e draft is an ongoing standard that has not been approved by the time of writing of this article. This standard is reported to add mobility support to This standard supports NLOS between BS and SS. It defines bit rates up to 15 Mbps using 256 sub-carrier OFDM with QPSK, 16-QAM, 64-QAM, and 256 QAM like modulation/coding scheme. It supports mobility up to 75 MPH. It has a channel bandwidth of 5 MHz This standard consolidates IEEE , IEEE a, IEEE c. It retains all modes and major features of previous standards without adding modules. Its content has been revised to improve performance, easy deployment, and replace incorrect, ambiguous, or incomplete material [8]. It defines three frequency bands of interest:

15 GHz licensed band: where Line-of-Sight (LOS) is required and multipath is negligible. It uses 25 or 28 MHz channel bandwidth and achieves data rates in excess of 120 Mbps. It uses single-carrier modulation. Frequencies below 11 GHz: Supports NLOS but requires additional physical layer functionality like advanced power management techniques and management of multiple antennas. It also introduces additional mesh topologies and automatic repeat request. License-exempt frequencies below 11 GHz: The license exempt nature introduces additional interference and co-existence issues; therefore, the physical and MAC layer introduce extended capabilities like Dynamic Frequency Selection to detect and avoid interference. Some important points to note. IEEE can operate in either licensed or unlicensed spectrum (2-11 GHz). WiMax systems can be configured for dual-channel Frequency Division Duplex (FDD) or single channel Time Division Duplex (TDD) which makes the technology essentially duplex, compared with IEEE wich is contention based TDD; therefore, half-duplex. The actual transmission speed depends on the bandwidth of the channel and the efficiency of the modulation/coding scheme. The trade off is that the more efficient the modulation/coding scheme, the more susceptible it is to noise and interference supports Adaptive Modulation; when the SNR and/or error rate goes above a threshold, the technology will switch to a more robust modulation/coding scheme trading performance for robustness [9]. IEEE standard describes a sophisticated MAC protocol that can share the radio channel among hundreds of users providing QoS. It uses a Request/Grant access mechanism to minimize the probability of collisions and support consistent-delay voice and variable-delay data services. The BS is in charge of granting access to the channel. Four types of QoS are supported [9]: Unsolicited Grant-Real Time: For real time voice and video. Real Time Polling: Real time service where BS polls subscribers in turn. Variable Bit Rate-Non-Real Time: Non real time data for high priority users. Variable Bit Rate-Best Effort: IP-like best effort service for low priority data.

16 16 Security Analysis of IEEE IEEE defines a separate security sublayer within the MAC layer as shown in Fig 7. This security sublayer is in charge of authentication, secure key exchange, and encryption. In this study we will review the principal features of this sublayer. Fig. 7. IEEE protocol layering [8] A. IEEE Security sublayer The security sublayer provides privacy by encrypting connections between SS and BS; in addition, this encryption provides operators with strong protection against theft of service. The privacy scheme uses an authenticated client/server key management protocol in which the BS distributes keying material to SS. The security services are strengthened by the use of digital-certificate-based SS authentication. 1) Packet Data Encryption: An encapsulation protocol to encrypt packet data across the BWA network. It defines the encryption and authentication algorithms and the necessary information to apply them. Only the MAC PDU payload is encrypted, the MAC header is not encrypted. MAC management messages are sent in the clear to facilitate network operation. 2) Key Management Protocol: The Privacy Key Management (PKM) provides a secure distribution of keying material from BS to SS. The information exchanged in the protocol includes conditions to access the several network services. The SS use PKM to request keying material from the BS and support periodic reauthorization and key refresh. PKM uses X.509 digital certificates, RSA public-key encryption algorithms, and strong encryption algorithms to perform key exchanges between SS and BS. In PKM, the SS acts as a client when requesting material from the BS which acts as a server. PKM uses

17 17 public-key cryptography to derive a shared secret Authentication Key (AK) between the SS and the BS. The AK is used thereafter to avoid computational intensive public-key operations to derive the subsequent key operations. A BS authenticates a SS during authentication exchange. Each SS carries its X.509 digital certificate issued by the SS s manufacturer, or has an internal algorithms to generate the public-private key pair and certificate. The digital certificate contains the SS s public key and the SS MAC address. When the BS receives an authorization request from the SS, the BS verifies the digital certificate and if valid, generates an AK and encrypts it with the SS s public key and sends it back to the SS. When the BS authenticates the SS, it also links the SS to a paying subscriber, and hence to the data services the subscriber has access to. The public-key encryption protects the system against masquerading SS. 3) Security Associations: A SA is the set of security information a BS and one or more of its client SSs share in order to set secure communications. SA are identified by SAIDs. There are Primary, Static, and Dynamic SA. Each SS shall establish an exclusive SA with its BS. The SA s keying material has limited lifetime, and this lifetime is one of the parameters of a SA. It is the responsability of the SS to request new keying material before the current one expires; therefore, there can be up to two keying materials active at the same time. If the lifetime expires before getting a new one, then the SS has to perform a new authentication request. 4) Cryptographic Suite: IEEE support the following cryptographic suites: Data Encryption Algorithms: It currently supports no data encryption, CBC-Mode 56-bit DES, and AES CCM mode. Data Authentication Algorithms: Currently it does not support any data authentication algorithm. TEK Encryption Algorithm: It currently supports 3-DES EDE with 128-bit key, RSA with 1024-bit key, and AES with 128-bit key. 5) PKM protocol: A SS authorization is controlled by the Authorization state machine, and is controlled by the following process: The BS authenticates the SS identity. The BS provides the authenticated SS an AK from where a Key Encryption Key (KEK) and message authentication key are derived. The BS provides the authenticated SS with the necessary SAID s to provide the SS with the services the SS is subscribed to. After the SS achieves initial authorization, the SS periodically seeks reauthorization with the BS. The SS must be authenticated with the BS in order to be able to refresh aging TEKs. TEK state machines manage the refreshing of TEKs. The authentication procedure works as follows. The SS sends an Authorization Request message to the BS. The Authorization Request includes: A manufacturer-issued X.509 certificate. A description of the cryptographic algorithms the requesting SS supports. The SS Basic Connection Identifier (CID). The BS validates Authorization Request and the requesting SS s identity. It determines the encryption algorithm and protocol support it shares with the SS, and generates an AK for the SS. The BS encrypts the AK with the SS public key, and sends it back to the SS in an Authorization Reply message. The

18 18 authorization reply includes: An AK encrypted with the SSs public key. A 4-bit key sequence number, used to distinguish between successive generations of AKs. A key lifetime. The identities (SAIDs) the SS is authorized to obtain keying information for. As mentioned before, the SS is in charge of periodically refresh its AK by reissuing an Authorization Request to the BS. To avoid service interruptions during reauthorization, successive generations of the SS s AKs have overlapping lifetimes. Both SS and BS shall be able to support up to two simultaneously active AKs. The Authorization state machine process is depicted in Fig. 8(a). (a) AK management (b) TEK management Fig. 8. AK and TEK Key Management [8] 6) TEK exchange overview: After a successful authorization, an SS starts a separate Traffic Encryption Key (TEK) state machine for each SAID in the Authorization Reply message. Each TEK state machine periodically sends Key Request messages to the BS, requesting a refresh of keying material for their respective SAIDs. The TEK is encrypted using the KEK derived from the AK. Again, the BS and the SS will maintain active two set of keying material at the same time per SAID. The Key Reply will contain the TEK, a CBC Initialization Vector (IV) and the remaining lifetime of each of the two sets of keying

19 19 material. Maintaining proper TEK keying material ensures that the SS will be able to continually exchange encrypted traffic with the BS. The TEK state machine process is depicted in Fig. 8(b). 7) Dynamic SA: Dynamic Security Associations are SAs that a BS establishes and eliminates dynamically in response to the enabling or disabling of specific service flows. The BS may dynamically establish SAs by issuing an SA Add message. Upon receiving an SA Add message, the SS shall start a TEK state machine for each SA listed in the message. 8) Data Encryption with DES in CBC mode: This is the cryptographic suite defined in the original IEEE Here the MAC PDU payload is encrypted using the CBC mode of the US Data Encryption Standard (DES). The CBC IV shall be calculated as follows: in the downlink, the CBC shall be initialized with the exclusive-or (XOR) of (1) the IV parameter included in the TEK keying information, and (2) the content of the PHY Synchronization field of the latest DL-MAP. In the uplink, the CBC shall be initialized with the XOR of (1) the IV parameter included in the TEK keying information, and (2) the content of the PHY Synchronization field of the DL-MAP that is in effect when the UL-MAP for the uplink transmission is created/received. The downlink map (DL-MAP) is a MAC message that defines burst start times for both time division multiplex and time division multiple access (TDMA) by a SS on the downlink. The uplink map (UL-MAP) is a set of information that defines the entire access for a scheduling interval. 9) Data Encryption with AES in CCM mode: In the new IEEE , support is included for the encryption of the MAC PDU payload using the CCM mode of the US Advanced Encryption Standard (AES). The MAC PDU payload is preprocessed as shown in Fig. 9. The payload is prepended by a 4-byte Packet Number (PN) that is not encrypted. An 8-byte Integrity Check Value (ICV) is appended to the payload. The PDU plaintext and the ICV are encrypted and authenticated using the active TEK key. Fig. 9. PDU Payload Format using AES-CCM [8] The PN associated with an SA shall be set to 1 when the SA is established and when a new TEK is installed. After each PDU transmission, the PN shall be incremented by 1. Any tuple value of <PN, KEY> shall not be used more than once for the purposes of transmitting data. The SS shall ensure that a new TEK is requested and transferred before the PN space is exhausted; otherwise, transport communications on that SA shall be halted until new TEKs are installed. Sending two packets with the same key and PN will eliminate all security guaranteed by the CCM mode. The CCM algorithm should be implemented as specified in the NIST Special Publication C, FIPS-197. On the recipient end, the PDU shall be decrypted and authenticated according to the CCM specification. Packets that fail the authentication shall be discarded. Receiving BSs or SSs will maintain a record of the highest value PN received for each SA.

20 20 If a packet is received with a PN that is equal to, or less than the recorded maximum, then the packet shall be discarded as a replay attempt. 10) Encryption of TEK: The BS encrypts the value fields of the TEK in the reply message sent to the client SS using one of the following algorithms available for the encryption of the TEK: Using two-key 3-DES in the EDE mode. Using the RSA algorithm. Using 128-bit AES in ECB mode. The BS is in charge of generating AKs, TEKs, and IVs. A random or pseudo-random number generator shall be used to generate these values. AKs in Authorization Reply messages shall be RSA public-key encrypted using the SS s public key. Analysis of IEEE threats Any wireless technology will be succeptible to physical layer attacks like radio jamming, or continuously sending packets so the receiver is overwhelmed, and causing a Denial of Service, or fast battery consumption. These kind of attacks are outside the scope of this document and we will review some possible attacks at the MAC layer for which the standards are responsible. The obvious detail after reviewing the standard is the lack of mutual authentication. The SS identifies itself to the BS using its certificate, but the BS never identifies itself to the SS. Therefore; some Man in the Middle attacks are a threat. In [10], David Johnston and Jesse Walker note that an AK can last up to 70 days [8], whereas the TEK lifetime can be as short as 30 min. Therefore a data SA can consume up to 3360 TEKs over the AK s lifetime, requiring the SAID space to grow from 2 to at least 12 bits. It also notes that the BS is in charge of generating several keys (AK, TEK, KAK) and the quality of the random number generator in the BS is of utmost importance. Another issue is how correctly the PKI in place will be implemented. Ideally, there should not be any problem; however, many implementations lacking rigour in their development can compromise the security of all the system. Furthermore, the standard is not very rigorous in its specifications; this will give even more liberty to implementators. The IEEE includes support for DES in CBC mode, and several issues arise. However, in the last revision of the standard, AES in CCM mode is introduced. We believe this was to solve all the problems that DES in CBC mode has. AES in CCM mode is also used in i and had several and extensive reviews; therefore, offering a more mature solution.