ITEC4620 Wireless and Mobile Communication Networks D803(12.30-15.30(Sat)) ดร. ประว ทย ช มช ว ศวกรรมสารสนเทศและการส อสาร Email: prawit@mut.ac.th ห องท างาน: F402 เบอร โทรศ พท ท ท างาน: (02)9883655 ต อ 220 เบอร โทรศ พท เคล อนท : 065343850 Class Security in 802.11 Introduction to Network Security Example of 802.11 Network security Security Service Security Mechanisms Key managements Types of ciphers Security Attacks IEEE 802.11 Security Authentication WEP Security Vulnerabilities 802.11i WPA (WiFi Protected Access) RSN (Robust Security Network)(WPA2) ห วข อบรรยาย IEEE 802.11 Security Examples Ciphertext Ciphertext Ciphertext Source Module Encryption Decryption Receiver Module Wireless Channel Sender Receiver Authentication Encryption Decryption Receiver Module Receiver
Authentication Open System Authentication Any one can join Shared key Authentication Basic Security A standard challenge A shared secret key Data privacy & Data integrity WEP AES used in IEEE 802.11i Security Service Definition A service that enhances the security of data processing systems and information transfers. Makes use of one or more security mechanisms Examples of network security service requirements: authentication privacy, confidentiality integrity non repudiation obliviousness information flow Authentication Definition The requirement by which a process securely communicates its identity to another Thus, if process k receives an identification communication from process j then it must be the case that there is a corresponding send of that identification communication by j Note that if messages are not all unique, then to deal with replay of old communications from j, we may have to embed counters in the state to capture bad prefixes Instances of identity communication of j: k j : n j k : R.j n or k j : n j k : S n ; j Privacy Definition The requirement by which communication is possible that can be decoded only by the processes that agree to communicate In some cases, source, destination, frequency of communication needs to be protected as well Instances of private communication from j to k: j k : S data or j k : B.k data
Non Repudiation Definition The requirement by which a recipient can prove that to anyone that the message was indeed sent by the sender Likewise, a sender can prove that a recipient indeed received the message Note that non-repudiation implies integrity, but not vice versa. Note that non-repudiation does not necessarily imply authentication, since the message could have been forwarded by a third party Instance of nonrepudiation of communication from j to k: j k : data, R.j data or j k : data, R.j MD(data) Integrity Definition The requirement by which a recipient can prove to itself that the message is what was indeed sent I.e., the message was not modified or replaced Instance of integrity of communication from j to k: j k : data, MD(data; S) Obliviousness Definition The requirement by which a process may perform a set of operations but not be sure which one (or more) of them was correctly performed E.g., a process may send two messages but not be sure which one of them was correctly received E.g., a process may sign one of a set of messages but not know which one it signed, or use one of a set of keys to encrypt with but not know which one was chosen Information Flow Definition The requirement by which a high-level process cannot communicate any information to a low-level process, directly or indirectly Sometimes this is called absence of covert channels or subliminal channels One sufficient condition for this requirement is called noninterference, which says that the outcome of an action of a low-level process in a computation remains the same even if actions performed by all higher-level processes are added or deleted to the computation
Security services (contd.) Other important security services include: authorization: access is enabled if that access is allowed availability: permanence, non-erasure verifiability: a sort of integrity, revealing originality not content unforgeability: a sort of integrity, forged messages must be independent of original messages distinguishability: can guess whether encrypted msg is m0/m1 detectability: can guess whether encrypted msg is valid Ethical, social, policy and legal issues Some software we will study may be under export restriction, it is your responsibility to obey the applicable laws Many of the algorithms we will discuss are protected by patents, which makes it illegal to make and sell (or give away) computer programs that use those algorithms I expect you to work individually. Cheating/undisclosed collaboration will be dealt with severely Types of Cryptographic Functions Secret Key Cryptography (Systematic cryptography) One Password key for Encryption and Decryption Public Key Cryptography (Systematic cryptography) - Two key: Public key and Private Key Hash Algorithm Message digits or one-way transformations Secret Key Cryptography Ciphertext Ciphertext Ciphertext Source Module Encryption Decryption Receiver Module Communication Channel Sender Receiver
Public key algorithm Ciphertext Ciphertext Ciphertext Source Module Encryption Decryption Receiver Module Communication Channel Sender Receiver Decryption Receiver Module Hash Algorithms Password Hashing ใช ในการเก บ hash ของ password Message Integrity ใช ในการตรวจสอบความถ กต องของข อม ล Message Finger print ใช ในการตรวจสอบความถ กต องของข อม ลจ านวนมาก ๆ Downline Load Security ใช ในการตรวจสอบความถ กต องของโปรแกรมท ได มาจากอ ปกรณ เคร อข ายปลายทาง o = h(m) Receiver m= massages ร o และ h(m) หาค า m ได ยากมาก Stream Ciphers Types of Ciphers Generates Continuous key stream based on the key value Block Ciphers Generates a single encryption key stream of a fixed size Both Ciphers Same input generates the same Ciphertext output (security threat) Initialization Vectors Feedback modes key Cipher Stream Ciphers Key Stream Ciphertext
Block Ciphers Without Initialization Vectors With Feedback modes Electronic Code Book (ECB) (No Feed back Mode) Output Feedback Mode (OFB) Cipher Feedback Mode (CFB) Key m1 En discarded K bits Key m2 En discarded K bits Key m3 En Key m1 discarded K bits En discarded K bits c1 Key m2 En discarded K bits c2 Key m3 En discarded K bits c3 Security Mechanism Definition A mechanism that is designed to detect, prevent, or recover from a security attack Pervasive security mechanisms include: encryption or encipherment digital signatures, notarization traffic padding routing control trusted functionality security labels access controls event detection audit trails Firewalls c1 c2 c3
Types of Keys Cryptography underlies many security mechanisms. Keys are often used for securing or unsecuring information Symmetric, S: Same key is used to encode and decode Asymmetric or Public/Private, B/R: Public key is used to encode, private key to decode One way function, f: Given x, it is easy to compute f(x), but given f(x) it s hard to compute x One way function with trapdoor, f: A one way function where given f(x) it is easy to compute x if one knows a trapdoor function g s.t. g(f(x))=x Types of Keys (contd.) One way permutation, f,g: Both f and g are one way functions and each other's trapdoor One way hash function, MD: A hash function MD that is one way (Recall that a hash function may be many-to-one) One way strongly collision-free hash function, MD: A one way hash function MD s.t. it is hard to compute different x and y s.t. MD(x)=MD(y) One way weakly collision-free hash function, MD: A one way hash function MD s.t. given x it is hard to compute a different y s.t. MD(x)=MD(y) Types of Keys (contd.) Weak key: A key in the key-space that does not encode well, e.g., 0-key, and is thus easy to guess Complement key: A key s.t. Complement(f(x)) = f(complement(x)) and thus involves considering half the x to guess Related keys: A pair of keys that are related by some difference which can be exploited to reduce the number of x to guess Introduction to Network Security Example of 802.11 Network security Security Service Security Mechanisms Key managements Types of ciphers Security Attacks IEEE 802.11 Security Authentication WEP Security Vulnerabilities 802.11i WPA (WiFi Protected Access) RSN (Robust Security Network)(WPA2) ห วข อบรรยาย
Athentication and Access control CRC Integrity Protection Confidentaility RC4 Shared key WEP WEP IEEE 802.11 Security open RC4 TRIP EAP MIC WEP WPA Mac Adress Filtering Firewall VPN (Virtual Private Network) 802.1X EAP TRIP(opt) RSN(WPA2) WEP AES- CCMP 802.11i 802.1X IEEE 802.11 Security SSID ก าหนดไม AP กระจาย SSID Ethernet MAC Address Access Control Lists ก าหนดการเช อมต อเคร อข ายโดยใช หมายเลข MAC ของล กข าย หมายเลข MAC สามารถเปล ยนได Authentication WEP (Wired Equivalent Privacy) 802.11i หล งจากเจอช องโว ของ WEP WPA (Wi-Fi Protected Access) TKIP (Temporal Key Integrity Protocol) AES (Advanced Encryption Standard) Open Authentication Shared Key Authentication Authentication In WLAN Authentication Frame Format
Open Authentication Shared Key Authentication Challenge Text 128 bytes The first is the same as the first frame in open system authentication Generated using the WEB key generator with a random key and initialization vector (2 Frame) The frame is encrypted with WEP (third frame) After receiving the third frame, integrity check, if valid, send forth frame The forth frame is the same as the second frame in open system authen tication Frame Format when using WEP
CICV CICV ICV ICV CICV WEP ICV ICV Key ID+Pad CRC I Secret RC4 Keystream V key Secret key RC4 Keystream I V I Ciphertext V Ciphertext Algorithms - CRC, RC4, Parameters WEP Decryption Ciphertext WEP Encryption Yes CRC No Discard Bad ICV I Ciphertext V X1 0 0 1 1 X2 0 1 0 1 X1 X2 0 1 1 0 - (Initialization Vector), ICV (Integrate Check Value), CICV (Cipher ICV) - 64 bits = 24()+40 (Secret key) - 128 bits = 24()+104 (Secret key) KSA (Key Scheduling Algorithm) PRGA (Pseudo Random Generation Algorithm) N = 2 n l is the number of words of K, where each word contains n bits x CRC (Cyclic redundancy check) 32 Polynomial 3-bit CRC ส งออกช องส ญญาณ IEEE 32-bit CRC Polynomial 26 23 22 16 12 11 10 8 7 5 4 2 + x + x + x + x + x + x + x + x + x + x + x + x + x + 1 x 3 + x + 1 n=8 (normally) K = secret key z = key stream
Example of IEEE 802.11 Security ม AP ต วหน งเสร จค า Authentication เป น open system authentication Encryption แบบ WEP 128 bits ไม ม การ filter MAC address น กศ กษาไม ม the shared secret key น กศ กษาสามารถเช อมต อได? น กศ กษาสามารถ ping AP น นจากเคร อง คอมน กศ กษา? An Example of WEP Key Distribution No speciation of key distribution All keys must be statically entered into ether the driver software or the firmware on the wireless card If keys are accessible to users, then all keys must be changed Key management problems collisions Message Injection Authentication Spoofing Cracking Web Key Problems with WEP
Key management problems WEP used a systematic key encryption mechanism Both encryption and decryption use the same key If a laptop is stolen, the shared key has to re-config on both AP and clients is reused is sent in clear text 2 packet from the same collisions Keystream Cipher text Cipher text Cipher text collisions 11010011 10100110 Keystream 01110101 Cipher text 01110101 10001011 11111110 Cipher text 00101101 10100110 10001011 11010011 00101101 11111110 collisions Know Ciphertext1 and Ciphertext2 1 Get 2 How we know 1 1. Send a packet to a target machine 2. Geuss plaintext1 from well-known protocols Handshaking in TCP
Message Injection IEEE 802.11 does not require the to change with every packet Know A key stream from a Pliant text and a Cipher text A new Ciphertext A new plaintext the known key stream Inject the packet into the network A valid WEP packet Cipher text Keystream Message Injection 11010011 10100110 Keystream 01110101 Cipher text 11010011 10100110 01110101 Deriving a key stream Forging a new cipher text Authentication Spoofing = Challenge Text Ciphertext = Challenge Response Use message injection - To authentication without the shared secret key Cracking Web Key Airsnort, WEPCrack and dweputils From Scoth Fluhre, Itsik Mantin and Adi Shamir Weaknesses in the Key Scheduling Algorithm of RC4 Know The first few bytes of pliantext Such as IP and ARP start with 0xAA
Brute Force Attack vs FSM Attack Brute Force Attack Capture a single encrypted packet Apply an enormous of computing power FSM (Finite State Machine) Attack Capture an enormous of encrypted packets Use very little CPU power Introduction to Network Security Example of 802.11 Network security Security Service Security Mechanisms Key managements Types of ciphers Security Attacks IEEE 802.11 Security Authentication WEP Security Vulnerabilities 802.11i WPA (WiFi Protected Access) RSN (Robust Security Network)(WPA2) ห วข อบรรยาย WPA (Wi-Fi Protected Access) & RNS Authentication and Access control User based Authentication Logical Port Based on 802.1X EAP (Extensible Authentication protocol), EAPOL (EAP Over LAN) EAP-Cisco EAP-TLS (Transport Layer Security) EAP-PEAP (Protected EAP)
802.1X Supplicant Autheticator Authenticaion Server 1. 802.1X(EAP-Start) 2. AP Blocks All Non-802.1X Traffic 3. 802.1X (EAP-Request Identiy) 4. 802.1X(EAP-Response Indentity) 5. RADIUS(EAP-Response Identity) 7. 802.1X(EAP-Request)(Challenge) 6. RADIUS (EAP-Request)(Challenge) 8. 802.1X(EAP-Response) (Challenge response) 10. 802.1X (EAP-Request)(Challenge) 9. RADIUS(EAP-Response) (Challenge response) 11. RADIUS (EAP-Request)(Challenge) 13. 802.1X(EAP-Response)(Challenge response) 15. 802.1X(EAP-Success) 12. RADIUS(EAP-Response)(Challenge response) 14. RADIUS ACCEPT 17. The client opens its Port 16. The AP opens the client s Port TKIP (Temporal Key Integrity Protocol) 802.1X Derived key Most Significant 32 Bits Form Transmitter MAC Address Mixer Phase 1 Key Mixer 16 Bit Per Frame Key Plain Text Data Frame WEP Encrypted Data Frame 802.1X Derived key Most Significant 32 Bits Form Transmitter MAC Address Encrypted Data Frame Mixer 16 Bit MIC key Michael Plain Text Data Frame Phase 1 Key Mixer Per Frame Key MIC Failure Sequecnce Discard Failed ICV WEP Data Frame with MIC Discard Out of sequence MIC (Message Integrity Code) Destination MAC Address Source MAC Addresss 802.11 Data Payload Michael 64 Bit MIC 16 bit Data Payload 64 bit MIC 32 Bit ICV Per Frame Encryption Frame transmitted AES-CCMP (Advanced Encryption Standard) Need new hardware CCM (new mode) combines of CTR (Counter mode encryption) CBC MAC (Cipher Block Chaining-Message Authentication Code)
Summary IEEE Authentication WEP WPA TRIP WPA2(AES-CCMP),RSN(Robust Security Network) แบบฝ กห ดลองท าด