Distributed Systems Security



Similar documents
Wireless security. Any station within range of the RF receives data Two security mechanism

Wireless Networks. Welcome to Wireless

WiFi Security: WEP, WPA, and WPA2

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Security in IEEE WLANs

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Chapter 6 CDMA/802.11i

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2003): 15 Wireless LAN Security 1. Dr.-Ing G.

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

CS 356 Lecture 29 Wireless Security. Spring 2013

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Chapter 2 Wireless Networking Basics

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

WLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles

chap18.wireless Network Security

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

Key Management (Distribution and Certification) (1)

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Lecture 2 Secure Wireless LAN

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Netzwerksicherheit: Anwendungen

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

CS 336/536 Computer Network Security. Summer Term Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

Chapter 9. IP Secure

Your Wireless Network has No Clothes

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Network security, TKK, Nov

Linux Access Point and IPSec Bridge

WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

Network Access Security. Lesson 10

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

The next generation of knowledge and expertise Wireless Security Basics

WIRELESS SECURITY IN (WI-FI ) NETWORKS

A DISCUSSION OF WIRELESS SECURITY TECHNOLOGIES

Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal

Computer Networks. Secure Systems

Huawei WLAN Authentication and Encryption

Network Security Protocols

Wireless Local Area Network Security Obscurity Through Security

CS549: Cryptography and Network Security

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Wireless Security: Token, WEP, Cellular

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

How To Secure Wireless Networks

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Security in Wireless and Mobile Networks

Wireless Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

Network Security. Lecture 3

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Configure WorkGroup Bridge on the WAP131 Access Point

Wireless LAN Security Mechanisms

IEEE Wireless LAN Security Overview

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Network Security Part II: Standards

Lecture 3. WPA and i

COMPARISON OF WIRELESS SECURITY PROTOCOLS (WEP AND WPA2)

Wireless Technology Seminar

CSC574: Computer and Network Security

WLAN and IEEE Security

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Wireless LAN Security I: WEP Overview and Tools

Basic Security. Security Service. Authentication. Privacy. Authentication. Data privacy & Data integrity

The Importance of Wireless Security

WI-FI SECURITY: A LITERATURE REVIEW OF SECURITY IN WIRELESS NETWORK

Configuring Security Solutions

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Chapter 17. Transport-Level Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Topics in Network Security

Authentication and Security in IP based Multi Hop Networks

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Virtual Private Networks

Security Awareness. Wireless Network Security

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Developing Network Security Strategies

A COMPARITIVE ANALYSIS OF WIRELESS SECURITY PROTOCOLS (WEP and WPA2)

Wireless Encryption Protection

Transcription:

Distributed Systems Security Protocols (Physical/Data-Link Layer) Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.itm.uni-luebeck.de/people/pfisterer

Overview Security on Different Layers Security on Physical & Data-Link Layer Mostly security in wireless networks Example: Wireless LANs (IEEE 802.11a/b/g, 802.11i) Security - 07 Physical/Data Link Layer #2

Security on Different Layers Security - 04 Cryptology #3

Security on Different Layers Where do we place security mechanisms? Pros and cons on different protocol layers? Physical / Data-Link Layer E.g., Bluetooth, WEP/WPA/WPA2 in WLAN Network Layer E.g., IPSec, L2TP Transport Layer E.g., SSL/TLS Application Layer E.g., PGP, Kerberos Kerberos UDP LLC/MAC PHY LLC IP WEP MAC HTTP FTP SMTP TCP/UDP IPSec LLC/MAC HTTP FTP SMTP SSL/TLS TCP/UDP IP SET HTTP PGP S-MIME SMTP TCP Security - 06 Protocols #4 IP

Security in Lower Layers (PHY, DL) Protection of (some) individual links + Transparent for upper layers (i.e., IP, TCP, and application) + Minimal changes in protocol stack Security for single hops only No end-to-end security Not flexibly controllable by applications directional radio Security - 06 Protocols #5

Security in Network/Transport Layer Protection on the IP and/or TCP/UDP layer + Transparent for applications on network layer (IP IPSec) + End-to-end security across unsecure infrastructures + Complete connections securable (e.g., using VPNs) + Transport layer security controllable by /visible to applications (e.g., https instead of http) IPSec not controllable by / visible to applications Transport layer (TCP over TLS) requires application changes Any application layer protocol E.g., FTP, Web Apps, SMTP, POP, IMAP,... end-to-end connection security directional radio Security - 06 Protocols #6

Security in Application Layer Application security provided by the application + Flexibly controllable by applications Each application has its own custom-tailored security services No synergy between different applications E.G. Kerberos, S/MIME, PGP, GnuPG provide their own implementations Secure application layer protocol E.g., PGP, S/MIME, SMTPs, POPs, IMAPs,... end-to-end connection security directional radio Security - 06 Protocols #7

Wireless LAN

Wireless LAN Standards Also known as WLAN and WiFi Specifies layer 1&2 (physical & data-link layer) Standards IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz) IEEE 802.11a (1999: max. 54 Mbps, 5 Ghz) IEEE 802.11b (1999: 5,5 Mbps and 11 Mbps, 2.4 Ghz) IEEE 802.11g (2003: 54 Mbps, 2.4 Ghz) IEEE 802.11n (2009: 150 Mbps, 2.4 / 5 GHz) IEEE 802.11i (2004, enhanced security) Security - 07 Physical/Data Link Layer #9

802.11 Infrastructure Mode Access Point (AP) Bridge between wireless and wired networks Composed of Radio interface Wired network interface (usually 802.3) Bridging software Aggregates access for multiple wireless stations to wired network Basic Service Set (BSS) single cell Access Point Station Extended Service Set (ESS) multiple cells Wireless station Security - 07 Physical/Data Link Layer #10

Interception Wireless LAN uses radio signals Not limited to physical buildings BSS Signal weakened by Walls, Floors, and Interference Directional antenna allows interception over longer distances Station outside building perimeter Security - 07 Physical/Data Link Layer #11

Wardriving Software Netstumbler THC-Wardrive Kismet Wellenreiter VisStumbler inssider Laptop with (optional) GPS for logging MAC address & channel Network name (SSID) Manufacturer Signal strength /noise Location Security - 07 Physical/Data Link Layer #12

Wardriving example Security - 07 Physical/Data Link Layer #13

Joining a BSS APs send beacons (announce WiFi presence) May include Service Set Identifier (SSID) AP chosen on signal strength and observed error rates Client scans channels Periodically or on weak signal Check for stronger or more reliable APs If one is found, it re-associates with new AP Open System Authentication No authentication or encryption Clients only specify SSID when requesting association Security - 07 Physical/Data Link Layer #14

MAC Address locking Access points have Access Control Lists (ACL) ACL is list of allowed MAC addresses E.g. Allow access to: 00:01:42:0E:12:1F 00:01:42:F1:72:AE 00:01:42:4F:E2:01 MAC addresses are sniffable and spoofable ACLs are ineffective security technique Security - 07 Physical/Data Link Layer #15

Wireless LANs Wireless LANs Wired Equivalent Privacy (WEP)

802.11b Security Services (Wired Equivalence Privacy) Goal: Equivalent security like in LANs LAN security features? Security Features of 802.11b Authentication, Confidentiality, and Integrity Wired Equivalence Privacy (WEP) Authentication: Shared Key Key shared by all APs and clients of an ESS 802.11b defines no key management strategy Nightmare in large wireless LANs Local Area Network (LAN) Equivalent Privacy Confidentiality: RC4 encryption of data Integrity: Integrity Check Vector 802.11 wireless network Security - 07 Physical/Data Link Layer #17

WEP: Shared Key Authentication Station requests association with Access Point Challenge-Response Scheme Procedure 1. AP sends random number to station 2. Station encrypts random number (using RC4, 40 bit shared key and 24 bit IV) 3. Encrypted random number sent to AP 4. AP decrypts received message (using the same key stream) 5. AP compares decrypted number with transmitted one (Step 1) 6. If numbers match, station knows shared secret key Security - 07 Physical/Data Link Layer #18

WEP: Packet Transmission Integrity: compute Integrity Check Vector (ICV) 32 bit Cyclic Redundancy Check appended to message to create plaintext Confidentiality: plaintext encrypted via RC4 Plaintext XORed with key stream of pseudo random bits Key stream is function of 40-bit secret key and 24 bit initialization vector Initialization Vector (IV) PRNG IV Secret key Data 32 bit CRC Cipher text Security - 07 Physical/Data Link Layer #19

WEP: Packet Reception Decryption: ciphertext decrypted via RC4 XORed with same key stream as sender Generated from 40-bit secret key + 24 bit IV from packet Key stream differs per packet (if different IV is used) Integrity: Compare received and decrypted ICV with CRC of received data Secret key PRNG Plaintext IV Data CRC Cipher text CRC Compare Security - 07 Physical/Data Link Layer #20

WEP: Initialization Vector IV must be different for every message 802.11 standard doesn t specify how IV is calculated Different implementations used Simple incrementing counter for each message Alternating ascending and descending counters Some use a pseudo random IV generator Can be used for a variety of attacks Security - 07 Physical/Data Link Layer #21

WEP: Authentication Weaknesses Attack by extracting a single key stream AP does not check if IV is reused Attack Shared Key Authentication Challenge and response provide plain and ciphertext M 1 C 1 = M 1 M 1 RC4(IV,K) = RC4(IV,K) Attacker gets a valid key stream May be used for authentication and sending encrypted messages Security - 07 Physical/Data Link Layer #22

WEP: Authentication Weaknesses No mutual authentication Only client is authenticated APs are not authenticated Allows man-in-the-middle attacks Build and run own AP with same name Client connects to AP with best signal Attacker forwards messages to real AP Security - 07 Physical/Data Link Layer #23

WEP: Summary WEP dangerous due to wrong key usage Not because of the algorithm RC4 securely used in SSL/TLS Recommended measures WLAN cannot be trusted WLAN outside the Intranet separated by Firewall Use higher layer Security Protocols to secure communication PPTP, IPSec, SSL, SSH, Security - 07 Physical/Data Link Layer #24

Wireless LANs Wireless LANs IEEE 802.11i (WPA & WPA2)

Overview of 802.11i After the collapse of WEP, IEEE started to develop a new security architecture 802.11i 802.11i novelties compared to WEP Access control model based on 802.1X Flexible authentication framework (using EAP) Authentication based on strong protocols (e.g., TLS) Authentication results in shared session key Different functions (encryption, integrity) use different keys derived from the session key using a one-way function Improved encryption and integrity protection Security - 07 Physical/Data Link Layer #26

Overview of 802.11i 802.11i defines concept of a Robust Security Network (RSN) Integrity protection and encryption based on AES (not RC4 anymore) Good, but requires new hardware no software update of routers possible For immediate security: updates to WEP So-called pre-rsn networks New protocol: Temporal Key Integrity Protocol (TKIP) Encryption based on RC4 but avoids WEP s problems For integrity, a novel scheme is proposed (called Michael) Ugly solution, but runs on old hardware (after software upgrade) Industry names TKIP WPA (WiFi Protected Access) RSN WPA2 Security - 07 Physical/Data Link Layer #27

802.11i Security Solutions WEP TKIP (WPA) CCMP (WPA2) Algorithm RC4 RC4 AES Key Length 40 / 104 Bit 128 Bit (enc.) 64 Bit (auth.) 128 bit Initialization 24 Bit IV 48 Bit IV - Vector Integrity Data CRC32 Michael CCM (Counter with CBC-MAC) Header none Michael CCM Replay Protection none IV-Check IV-Check Key Management none 802.11i 4-Way- Handshake 802.11i 4-Way- Handshake Security - 07 Physical/Data Link Layer #28

Wireless LANs Wi-Fi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP)

TKIP Runs on old hardware Uses RC4 for encryption with WEP weaknesses corrected Improved message integrity scheme New protection mechanism called Michael Message Integrity Check (MIC) value is added at SDU level before fragmentation into PDUs Implemented in the device driver (in software) Improved confidentiality scheme Per-packet keys to prevent attacks based on weak keys Increases IV length to 48 Bits to prevent IV reuse Use IV as replay counter Security - 07 Physical/Data Link Layer #30

TKIP: Overview (High-Level) Message Integrity Protection Payload & MIC Key Generation WEP IV WEP Key WEP Encryption Extended IV Encrypted and authenticated frames Security - 07 Physical/Data Link Layer #31

TKIP: Integrity Protection Message 64 Bit Key Source MAC Destination MAC Priority Michael Algorithm Message WEP Frame MIC MIC? MAC? Security - 07 Physical/Data Link Layer #32

TKIP: WEP Key Generation Source MAC (32 Bit) WEP Key (128 Bit) Sequence Counter (48 Bit) MSB (32 Bit) LSB (16 Bit) Key Mixing (Phase 1) 80 Bit Key Mixing (Phase 2) High Byte of Counter Fill Byte Low Byte of Counter Packet-specific Key Temporary WEP Key (128 Bit) used for encryption Security - 07 Physical/Data Link Layer #33

WEP and TKIP: Encryption (High-Level) Message Payload + WPA-MIC CRC-32 Algorithm Message WEP- ICV RC4 Temporary WEP Key (128 Bit) used for encryption Payload WEP- ICV Encrypted Message Security - 07 Physical/Data Link Layer #34

TKIP: Overview (WEP Frame Details) Message Integrity Protection Payload + MIC Key Generation WEP IV WEP Key WEP Encryption WEP-Verschlüsselung IV + EIV MAC Header IV and Key ID EIV Payload MIC WEP ICV FCS Encrypted and authenticated frames Security - 07 Physical/Data Link Layer #35

Wireless LANs Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

CCMP and WPA2 Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) Standard encryption protocol for use with the WPA2 standard Replaces RC4 stream-cipher with AES block cipher WEP ICV with (CBC-)MAC value based on AES Security - 04 Cryptology #37

CCMP and WPA2 Encryption Based on CTR mode (using AES); see chapter on cryptology Encrypts payload and MAC value to protect integrity and confidentiality Not encrypted: Headers of MAC (frame) and CCMP Integrity protection Cipher Block Chaining Message Authentication Code (CBC- MAC) Integrity protection based on CBC-MAC (using AES) See next slide Security - 04 Cryptology #38

CBC-MAC: Cipher Block Chaining MAC Uses a block cipher to create a message authentication code (MAC) Plaintext chunk #1 Plaintext chunk #2 Plaintext chunk #3 Initialization Vector (IV) Key Block Cipher Key Block Cipher Key Block Cipher MAC Security - 04 Cryptology #39

CCMP: Integrity CBC-MAC computed over MAC header CCMP header Payload Mutable fields are set to zero Input is padded with zeros if length is not multiple of 128 Bits Security - 04 Cryptology #40

Wireless LANs Wireless LANs IEEE 802.1X / EAP / PEAP

Authentication via IEEE 802.1X Access to resources after successful authentication IEEE 802.1X: EAP over Ethernet/LAN (EAPOL) For details on EAP see chapter on AAA EAP Messages IEEE 802.1X: EAP over Ethernet Arbitrary Protocol Client (Supplicant) Authenticator (e.g., access point) Authentication Server (e.g., RADIUS) Security - 07 Physical/Data Link Layer #42

Association and Authentication 802.11 association happens first Open authentication Provides access to the AP and allows an IP address to be supplied Access beyond the AP is still prohibited AP drops non-eap traffic Authentication conversation between supplicant and authentication server Wireless NIC and AP are pass through devices After authentication, AP allows full traffic Security - 07 Physical/Data Link Layer #43

Summary of the Protocol Architecture e.g., EAP-MS-CHAPv2 e.g., PEAP EAP (RFC 3748) EAPOL (802.1X) EAP over RADIUS (RFC 3579) 802.11 (WiFi) RADIUS protocol (RFC 2865) TCP/IP Client Access Point Authentication Server Security - 07 Physical/Data Link Layer #44

802.11, 802.1X, EAP (with CHAP + RADIUS) Supplicant (WiFi Client) 802.11 association Authenticator (Access Point) Authentication Server EAPOL Start EAP request for identity EAP-response (identity) Access-request EAP-request (challenge) RADIUS-challenge EAP-response (response) RADIUS-access-request EAP-succcess RADIUS-access-accept EAPOW-key (WEP/CCMP) Secure authenticated connection Security - 07 Physical/Data Link Layer #45

Result of successful authentication Authenticator and Client negotiate a private unicast key Prevents other associated clients from eavesdropping on the communication Authenticator also provides a broadcast key For broadcast communication amongst all associated clients Shared Broadcast Key Private Unicast Key Private Unicast Key 802.11 Client 802.11 AP 802.11 Client Security - 04 Cryptology #46

Example: Eduroam (Germany) Users can roam to university-run Wi-Fis worldwide Authentication by home organization Security - 07 Physical/Data Link Layer #47

Example: Eduroam (Germany) Requests are routed to the user s home organization s authentication server Based on realm : username@realm E.g., meier@uni-luebeck.de Authentication Uses a secure PEAP (TLS) tunnel to the server Server provides certificate to avoid man-in-the-middle attacks Authenticate using some EAP-method (e.g., MS-CHAPv2 at Lübeck) Security - 07 Physical/Data Link Layer #48

Example: Dennis visits Lübeck 1. Lübeck s RADIUS requests identity Dennis replies with dennis@uniheidelberg.de Lübeck 2. Realm is unknown to RADIUS server Forwards all EAP packets to DFN central RADIUS server 3. Berlin knows mapping <realm, RADIUS server> Forwards packets to Heidelberg 2. 4. 3. Berlin 4. Virtual EAP connection between Dennis computer and Heidelberg RADIUS server Dennis authenticates against this server Server presents certificate to authenticate towards Dennis 5. After authentication, access is granted locally Heidelberg Security - 04 Cryptology #49

Visitor from SF comes to Lübeck Lübeck San Francisco New York Berlin Security - 04 Cryptology #50

Summary on WiFi Security Security has always been considered important for WiFi Early solution based on WEP seriously flawed New security standard for WiFi: 802.11i TKIP (WPA) Uses RC4 runs on old hardware Corrects WEP s flaws Mandatory in WPA, optional in WPA2 CCMP (WPA2) Access control model based on 802.1X and EAP Improved key management Uses AES in CCMP mode (CTR mode and CBC-MAC) Needs new hardware that supports AES Security - 07 Physical/Data Link Layer 51/60

Literature War Driving Tools http://www.wardrive.net/wardriving/tools/ J. Schiller. Mobile Communications. 2. Auflage, Addison-Wesley, 2003 IEEE 802.11a/b/g/i Standards. http://standards.ieee.org/getieee802/802.11.html Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile communications: the insecurity of 802.11. MOBICOM 2001, pp180-189. Scott R. Fluhrer, Itsik Mantin, Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Selected Areas in Cryptography 2001: pp1-24. Clint Chaplin, Emily Qi, Henry Ptasinski, Jesse Walker, Sheung Li. 802.11i Overview. IEEE 802.11-04/0123r1, Februar 2005 The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/ieee/ Security - 07 Physical/Data Link Layer #52

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information