Security in Wireless and Mobile Networks

Security in Wireless and Mobile Networks 1

Introduction This is a vast and active field, a course by itself Many references on wireless security A good book on wireless cooperation: Thwarting Malicious and Selfish Behavior in the Age of Ubiquitous Computing, by Levente Buttyanand Jean-Pierre Hubaux, Cambridge University Press, 2007. available at: http://secowinet.epfl.ch/ 2

Generic Network Security Attack Models availability confidentiality 3 integrity authenticity; incentive-compatibility

Why is Security Challenging in Wireless/Mobile Networks? 4 No inherent physical protection physical connections between devices are replaced by logical associations sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.) Broadcast communications wireless usually means radio, which has a broadcast nature transmissions can be overheard by anyone in range anyone can generate transmissions, which will be received by other devices in range which will interfere with other nearby transmissions Thus it is easier to implement jamming, eavesdropping, injecting bogus messages, and replaying previously recorded messages

Why is Security Challenging in Mobile Networks? Since mobile devices typically have limited resources (e.g., CPU cycles, battery supply), the designer might want to select simple security mechanisms However, this may lead to serious security flaws bad example: Wired Equivalent Protection (WEP), the original security protocol for 802.11 5

6 WEP: A Bad Example

802.11 Message Flow data messages protected by WEP 7

Wired Equivalent Privacy (WEP) WEP was intended to provide comparable confidentiality to a traditional wired network, thus the name WEP implements message confidentiality and integrity WEP encryption is used in 802.11 authentication 8

WEP Security WEP confidentiality through encryption using RC4, a stream-based encryption algorithm using a shared key WEP integrity through message check sum using encrypted cyclic redundancy check (CRC) WEP authentication through challenge/response 9

WEP Encryption For each message to be sent: RC4 is initialized with the shared secret between station STA and access point (AP) WEP allows up to 4 shared keys RC4 produces a pseudo-random byte sequence (key stream) from the shared key This pseudo-random byte sequence is XORed to the message 10

WEP Encryption To avoid using the same key stream, WEP encrypts each message with a different key stream the RC4 generator is initialized with the shared secret plus a 24-bit IV (initial value) shared secret is the same for each message 24-bit IV for each message there is no specification on how to choose the IV; sender picks the IV value 11

WEP Integrity WEP integrity protection is based on computing ICV (integrity check value) using CRC and appended to the message The message and the ICV are encrypted together 12

WEP CRC message ICV IV secret key RC4 KS encode IV message ICV decode IV secret key RC4 KS 13 message ICV check CRC

WEP Access control before association, the STA needs to authenticate itself to the AP authentication is based on a simple challenge-response protocol: STA AP: authenticate request AP STA: authenticate challenge (r) STA AP: authenticate response (e K (r)) AP STA: authenticate success/failure // r is 128 bits long once authenticated, the STA can send an association request, and the AP will respond with an association response if authentication fails, no association is possible 14/60

WEP Keys two kinds of keys are allowed by the standard default key (also called shared key, group key, multicast key, broadcast key, key) key mapping keys (also called individual key, per-station key, unique key) id:x key:abc default key id:x key:def key mapping key id:y key:abc id:y key:ghi id:z key:abc in practice, often only default keys are supported the default key is manually installed in every STA and the AP each STA uses the same shared secret key in principle, STAs can decrypt each other s messages 15/60 key:abc id:z key:jkl id:x key:def id:y key:ghi id:z key:jkl

16/60 WEP Management of default keys the default key is a group key, and group keys need to be changed when a member leaves the group e.g., when someone leaves the company and shouldn t have access to the network anymore it is practically impossible to change the default key in every device simultaneously hence, WEP supports multiple default keys to help the smooth change of keys one of the keys is called the active key the active key is used to encrypt messages any key can be used to decrypt messages the message header contains a key ID that allows the receiver to find out which key should be used to decrypt the message

WEP The key change process time ❶ abc* --- abc* --- * active key ❷ abc* --- abc* def abc def* ❸ --- def* abc def* ❹ --- def* --- def* 17/60

WEP flaws Authentication and access control authentication is one-way only AP is not authenticated to STA STA is at risk to associate to a rogue AP the same shared secret key is used for authentication and encryption 18/60 weaknesses in any of the two protocols can be used to break the key no session key is established during authentication access control is not continuous once a STA has authenticated and associated to the AP, an attacker send messages using the MAC address of STA correctly encrypted messages cannot be produced by the attacker, but replay of STA messages is still possible STA can be impersonated next slide

Active Attack on WEP: IV Replay Attacks A known plain-text message is sent to an observable wireless LAN client (how?) The network attacker will sniff the wireless LAN looking for the predicted cipher-text The network attacker will find the known frame, derive the key stream (corresponds to the give IV+K), and reuse the key stream 19

Active Attack on WEP: Bit-Flipping Attack The attacker sniffs a frame on the wireless LAN The attacker captures the frame and flips random bits in the data payload of the frame The attacker modifies the ICV (detailed later) The attacker transmits the modified frame The access point receives the frame and verifies the ICV based on the frame contents The AP accepts the modified frame The destination receiver de-encapsulates the frame and processes the Layer 3 packet Because bits are flipped in the higher layer packet, the Layer 3 checksum fails The receiver IP stack generates a predictable ICMP error The attacker sniffs the wireless LAN looking for the encrypted error message Upon receiving the error message, the attacker derives the key stream as with the IV replay attack 20

21 Bit-Flipping Attack

Generating Valid CRC The crucial step of the flipping attack is to allow the frame to pass the ICV check of the AP Unfortunately, the CRC algorithm allows generating valid encrypted ICV after bit flipping 22

Bypassing Encrypted ICV CRC is a linear function wrt to XOR: CRC(X Y) = CRC(X) CRC(Y) - Attacker observes (M CRC(M)) Kwhere K is the key stream output - for any M, the attacker can compute CRC( M) - hence, the attacker can compute: ([M CRC(M]) K) [ M CRC( M)] = ([M M) (CRC(M) CRC( M)]) K = [M M) CRC(M M)] K 23

WEP Authentication Two authentication modes open authentication --- means no authentication! an AP could use SSID authentication and MAC address filtering shared key authentication based on WEP 24

WEP Shared Key Authentication Shared key authentication is based on a challenge-response protocol: AP STA: r STA AP: IV (r K) where K is a 128 bit RC4 output on IV and the shared secret An attacker can compute r (r K) = K Then it can use K to impersonate STA later: AP attacker: r attacker AP: IV (r K) 25

IV space is too small IV space is too small IV size is only 24 bits there are 16,777,216 possible IVs after around 17 million messages, IVs are reused a busy AP at 11 Mbps is capable for transmitting 700 packets per second IV space is used up in around 7 hours in many implementations IVs are initialized with 0 on startup if several devices are switched on nearly at the same time, they all use the same sequence of IVs if they all use the same default key (which is the common case), then IV collisions are readily available to an attacker 26/60

Weak RC4 keys for some seed values (called weak keys), the beginning of the RC4 output is not really random if a weak key is used, then the first few bytes of the output reveals a lot of information about the key breaking the key is made easier for this reason, crypto experts suggest to always throw away the first 256 bytes of the RC4 output, but WEP doesn t do that due to the use of IVs, eventually a weak key will be used, and the attacker will know that, because the IV is sent in clear WEP encryption can be broken by capturing a few million messages! 27/60

WEP: Lessons Engineering security protocols is difficult one can combine otherwise OK building blocks in a wrong way and obtain an insecure system at the end example 1: stream ciphers alone are OK challenge-response protocols for entity authentication are OK but they shouldn t be combined example 2: encrypting a message digest to obtain an ICV is a good principle but it doesn t work if the message digest function is linear wrt to the encryption function 28

Fixing WEP After the collapse of WEP, Wi-Fi Protected Access (WPA) was proposed in 2003 Then the full 802.11x standard (also called WPA2) was proposed in 2004 But WEP is still in use 29

Overview of 802.11i 802.11i defines the concept of RSN (Robust Security Network) integrity protection and encryption is based on AES (and not on RC4 anymore) nice solution, but needs new hardware cannot be adopted immediately 802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol) 30/60 integrity protection is based on Michael (we will skip the details of that) encryption is based on RC4, but WEP s problems have been avoided ugly solution, but runs on old hardware (after software upgrade) Industrial names TKIP WPA (WiFi Protected Access) RSN/AES WPA2

TKIP runs on old hardware (supporting RC4), but WEP weaknesses are corrected new message integrity protection mechanism called Michael increase IV length to 48 bits in order to prevent IV reuse per-packet keys to prevent attacks based on weak keys 31/60

TKIP Generating RC4 keys 48 bits IV upper 32 bits lower 16 bits data encryption key from PTK 128 bits key mix (phase 1) MAC address dummy byte key mix (phase 2) IV d IV per-packet key RC4 seed value 3x8 = 24 bits 104 bit 32/60

Upcoming networks vs. mechanisms Rule enforcement Upcoming mechanisms wireless networks Small operators, community networks Cellular operators in shared spectrum Mesh networks Hybrid ad hoc networks Self-organized ad hoc networks Vehicular networks Sensor networks RFID networks X X X X X X X X X X X X X X X X X X? X X X X X X X X X X X X X X X X X X X X X X???? X X X X X? X? X? X X? Security Cooperation 33

Naming and addressing Typical attacks: Sybil: the same node has multiple identities Replication: theattacker captures a node and replicates it several nodes share the same identity Distributed protection technique in IPv6: Cryptographically Generated Addresses (T. Aura, 2003; RFC 3972) only a partial solution to the problem Public key For higher security (hash function output beyond 64 bits), hash Hash function extension can be used Subnet prefix Interface ID 64 bits 64 bits IPv6 address Parno, Perrig, and Gligor. Detection of node replicationattacks 34 in sensor networks. IEEE Symposium on Security and Privacy, 2005

Pairwisekey establishment in sensor networks 1. Initialization m (<<k) keys in each sensor ( key ring of the node ) Key reservoir (k keys) 2. Deployment Probability for any 2 nodes to have a common key: Do we have a common key? p = 1 2 (( k m)!) k!( k 2m)! 35

Probability for two sensors to have a common key 36 Eschenauer and Gligor, ACM CCS 2002 See also: Karlof, Sastry, Wagner: TinySec, Sensys 2004 Westhoff et al.: On Digital Signatures in Sensor Networks, ETT 2005

Securing Neighbor Discovery: Thwarting Wormholes Routing protocols will choose routes that contain wormhole links typically those routes appear to be shorter Many of the routes (e.g., discovered by flooding based routing protocols such as DSR) will go through the wormhole The adversary can then monitor traffic or drop packets (DoS) 37

Secure routing in wireless ad hoc networks Exchange of messages in Dynamic Source Routing (DSR): B A D E G H A *: [req,a,h; -] B, C, D, E B *: [req,a,h; B] A C *: [req,a,h; C] A D *: [req,a,h; D] A, E, G E *: [req,a,h; E] A, D, G, F F *: [req,a,h; E,F] E, G, H G *: [req,a,h; D,G] D, E, F, H C F H A: [H,F,E,A; rep; E,F] Routing disruption attacks routing loop black hole / gray hole partition detour wormhole Resource consumption attacks 38 injecting extra data packets in the network injecting extra control packets in the network

Privacy: the case of RFID RFID = Radio-Frequency Identification RFID system elements RFID tag + RFID reader + back-end database RFID tag = microchip + RF antenna microchip stores data (few hundred bits) Active tags have their own battery expensive Passive tags powered up by the reader s signal reflect the RF signal of the reader modulated with stored data tagged object RFID tag reading signal ID RFID reader ID back-end database 39 detailed object information

RFID privacy problems RFID tags respond to reader s query automatically, without authenticating the reader clandestine scanning of tags is a plausible threat Two particular problems: 1. Inventorying: a reader can silently determine what objects a person is carrying books medicaments banknotes underwear 2. Tracking: set of readers can determine where a given person is located tags emit fixed unique identifiers suitcase: Samsonit e jeans: Lee Cooper even if tag response is not unique it is possible to track a set of particular tags shoes: Nike watch: Casio book: Wireless Security Juels A., RFID Security and Privacy: A Research Survey, IEEE JSAC, Feb. 2006 40

Secure positioning a) Node displacement v 1 b) Wormhole m 2 m 4 v 1 m 1 m 3 c v - honest node m - malicious node c - compromised node c v 2 v 3 Node's measured distance m 5 Node's actual distance c) Malicious distance enlargement Node's actual position Node's reported position d) Dissemination of false position and distance information http://www.syssec.ethz.ch/research/spot 41

Summary Many security problems. Better work on security now instead of later. See the case of the Internet.

802.1X authentication model supplicant sys authenticator system auth server sys supplicant services authenticator authentication server port controls 43/60 LAN the supplicant requestsaccess to the services (wants to connect to the network) the authenticator controlsaccess to the services (controls the state of a port) the authentication server authorizes access to the services the supplicant authenticates itself to the authentication server if the authentication is successful, the authentication server instructs the authenticator to switch the port on the authentication server informs the supplicant that access is allowed

Mapping the 802.1X model to WiFi supplicant mobile device (STA) authenticator access point (AP) authentication server server application running on the AP or on a dedicated machine port logical state implemented in software in the AP one more thing is added to the basic 802.1X model in 802.11i: 44/60 successful authentication results not only in switching the port on, but also in a session key between the mobile device and the authentication server the session key is sent to the AP in a secure way A shared key between the AP and the auth server (set up manually)