Security protocols of existing wireless networks

Similar documents
WiFi Security: WEP, WPA, and WPA2

GSM and UMTS security

Network Security Protocols

Security in Wireless and Mobile Networks

CS 356 Lecture 29 Wireless Security. Spring 2013

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Chapter 6 CDMA/802.11i

Wireless security. Any station within range of the RF receives data Two security mechanism

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Network Security Protocols

Security in IEEE WLANs

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

UMTS security. Helsinki University of Technology S Security of Communication Protocols

Security Evaluation of CDMA2000

CS 336/536 Computer Network Security. Summer Term Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

Lecture 3. WPA and i

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

IEEE Wireless LAN Security Overview

chap18.wireless Network Security

Distributed Systems Security

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Chapter 2 Wireless Networking Basics

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

CS549: Cryptography and Network Security

Wireless LAN Security Mechanisms

Wireless Local Area Network Security Obscurity Through Security

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Authentication and Security in IP based Multi Hop Networks

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

A DISCUSSION OF WIRELESS SECURITY TECHNOLOGIES

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Wireless Security: Token, WEP, Cellular

Network security, TKK, Nov

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2003): 15 Wireless LAN Security 1. Dr.-Ing G.

How To Secure Wireless Networks

Huawei WLAN Authentication and Encryption

Netzwerksicherheit: Anwendungen

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

WIRELESS NETWORK SECURITY

The next generation of knowledge and expertise Wireless Security Basics

Chapter 10: Designing and Implementing Security for Wireless LANs Overview

Advanced Security Issues in Wireless Networks

Wireless LAN Security I: WEP Overview and Tools

A SURVEY OF WIRELESS NETWORK SECURITY PROTOCOLS

Wireless Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

XIV. Title. 2.1 Schematics of the WEP Encryption in WEP technique Decryption in WEP technique Process of TKIP 25

Wireless Networks. Welcome to Wireless

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Wireless Technology Seminar

Mobile Office Security Requirements for the Mobile Office

The Importance of Wireless Security

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal

Authentication in WLAN

Mobile Network Security

Lecture 2 Secure Wireless LAN

A Vulnerability in the UMTS and LTE Authentication and Key Agreement Protocols

Certified Wireless Security Professional (CWSP) Course Overview

The Basics of Wireless Local Area Networks

Mobile Phone Security. Hoang Vo Billy Ngo

WIRELESS SECURITY IN (WI-FI ) NETWORKS

WiFi Security Assessments

WLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles

SSI. Commons Wireless Protocols WEP and WPA2. Bertil Maria Pires Marques. Dez Dez

CCMP known-plain-text attack

Wireless Pre-Shared Key Cracking (WPA, WPA2)

DESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland

WI-FI SECURITY: A LITERATURE REVIEW OF SECURITY IN WIRELESS NETWORK

IEEE 802.1X For Wireless LANs

Wired Equivalent Privacy (WEP) versus Wi-Fi Protected Access (WPA)

Recommended Wireless Local Area Network Architecture

Key Management (Distribution and Certification) (1)

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Transcription:

Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Security protocols of existing wireless networks cellular networks: - GSM; - UMTS; Bluetooth; WiFi LANs; 2007 Levente Buttyán and Jean-Pierre Hubaux Why is security more of a concern in wireless? no inherent physical protection physical connections between devices are replaced by logical associations sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.) broadcast communications wireless usually means radio, which has a broadcast nature transmissions can be overheard by anyone in range anyone can generate transmissions, which will be received by other devices in range which will interfere with other nearby transmissions and may prevent their correct reception (jamming) eavesdropping is easy injecting bogus messages into the network is easy replaying previously recorded messages is easy illegitimate access to the network and its services is easy denial of service is easily achieved by jamming 2/61

Wireless communication security requirements confidentiality messages sent over wireless links must be encrypted authenticity origin of messages received over wireless links must be verified replay detection freshness of messages received over wireless links must be checked integrity modifying messages on-the-fly (during radio transmission) is not so easy, but possible integrity of messages received over wireless links must be verified access control access to the network services should be provided only to legitimate entities access control should be permanent it is not enough to check the legitimacy of an entity only when it joins the network and its logical associations are established, because logical associations can be hijacked protection against jamming 3/61 Chapter outline 1.3.3 Bluetooth 4/61

GSM Security main security requirement subscriber authentication (for the sake of billing) challenge-response protocol long-term secret key shared between the subscriber and the home network operator supports roaming without revealing long-term key to the visited networks other security services provided by GSM confidentiality of communications and signaling over the wireless interface encryption key shared between the subscriber and the visited network is established with the help of the home network as part of the subscriber authentication protocol protection of the subscriber s identity from eavesdroppers on the wireless interface usage of short-term temporary identifiers GSM security 5/61 The SIM card (Subscriber Identity Module) Must be tamper-resistant Protected by a PIN code (checked locally by the SIM) Is removable from the terminal Contains all data specific to the end user which have to reside in the Mobile Station: IMSI: International Mobile Subscriber Identity (permanent user s identity) PIN TMSI (Temporary Mobile Subscriber Identity) K i : User s secret key K c : Ciphering key List of the last call attempts List of preferred operators Supplementary service data (abbreviated dialing, last short messages received,...) GSM security 6/61

Cryptographic algorithms of GSM Random number R User s secret key K i A3 A8 R S K c Triplet Authentication A5 Ciphering algorithm K c : ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm) GSM security 7/61 Authentication principle of GSM Mobile Station Visited network Home network IMSI/TMSI K i R IMSI (or TMSI) IMSI A8 A8 A3 A3 Triplets (K c, R, S) K c S Authenticate (R) Triplets K i R A8 A8 A3 A3 K c S Auth-ack(S ) S=S? S=S? GSM security 8/61

Ciphering in GSM K c FRAME NUMBER K c FRAME NUMBER A5 A5 A5 A5 CIPHERING SEQUENCE CIPHERING SEQUENCE PLAINTEXT SEQUENCE CIPHERTEXT SEQUENCE PLAINTEXT SEQUENCE Sender (Mobile Station or Network) Receiver (Network or Mobile Station) GSM security 9/61 Conclusion on GSM security Focused on the protection of the air interface, no protection on the wired part of the network (neither for privacy nor for confidentiality) No integrity protection on the air interface stream ciphered data can be easily modified The visited network has access to all data (except the secret key of the end user) Algorithms are not public Generally robust, but a few successful attacks have been reported: faked base stations cloning of the SIM card (weakness of COMP-128) GSM security 10/61

3GPP Security Principles (1/2) Reuse of 2 nd generation security principles (GSM): Removable hardware security module In GSM: SIM card In 3GPP: USIM (User Services Identity Module) Radio interface encryption Limited trust in the Visited Network Protection of the identity of the end user (especially on the radio interface) Correction of the following weaknesses of the previous generation: Possible attacks from a faked base station Cipher keys and authentication data transmitted in clear between and within networks Encryption not used in some networks open to fraud Data integrity not provided UMTS security 11/61 3GPP Security Principles (2/2) New security features New kind of service providers (content providers, HLR only service providers, ) Increased control for the user over their service profile Enhanced resistance to active attacks Increased importance of non-voice services UMTS security 12/61

Authentication in 3GPP Mobile Station Visited Network Home Environment Sequence number (SQN) RAND(i) K: User s secret key Generation Generationof of cryptographic cryptographicmaterial K User authentication request RAND( i) AUTN( i) IMSI/TMSI Authentication vectors Verify VerifyAUTN(i) Compute ComputeRES(i) User authentication response RES(i) Compare Compare RES(i) RES(i) and and XRES(i) XRES(i) Compute ComputeCK(i) CK(i) and and IK(i) IK(i) Select Select CK(i) CK(i) and and IK(i) IK(i) UMTS security 13/61 Generation of the authentication vectors Get Get next nextsqn AMF Generate GenerateRAND K f1 f1 f2 f2 f3 f3 f4 f4 f5 f5 MAC (Message Authentication Code) XRES (Expected Result) CK (Cipher Key) IK (Integrity Key) AK (Anonymity Key) AUTN : = ( SQN AK ) AMF MAC AV : = RAND XRES CK IK AUTN AMF: Authentication and Key Management Field AUTN: Authentication Token AV: Authentication Vector UMTS security 14/61

User Authentication Function in the USIM RAND SQN AK AUTN AMF MAC f5 f5 AK SQN K f1 f1 f2 f2 f3 f3 f4 f4 XMAC (Expected MAC) RES (Result) CK (Cipher Key) IK (Integrity Key) Verify VerifyMAC = XMAC XMAC Verify Verifythat thatsqn is isin in the the correct correct range range USIM: User Services Identity Module UMTS security 15/61 More about the authentication and key generation f1, f2, f3, f4, f5 are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE based on the Rijndael block cipher UMTS security 16/61

Authentication and key generation functions f1 f5* RAND SQN AMF OP c OP E K OP c E K OP c OP c OP c OP c OP c rotate by r1 rotate by r2 rotate by r3 rotate by r4 rotate by r5 c1 c2 c3 c4 c5 E K E K E K E K E K OP c OP c OP c OP c OP c f1 f2 f3 f4 f5 OP: OP: operator-specific parameter r1,, r1,, r5: r5: fixed fixedrotation constants c1,, c1,, c5: c5: fixed fixed addition addition constants E K : K : Rijndael block block cipher cipherwith 128 128 bits bits text textinput and and 128 128 bits bits key key UMTS security 17/61 Signalling integrity protection method SIGNALLING MESSAGE SIGNALLING MESSAGE FRESH FRESH COUNT-I DIRECTION COUNT-I DIRECTION IK f9 f9 IK f9 f9 MAC-I XMAC-I Sender (Mobile Station or Radio Network Controller) Receiver (Radio Network Controller or Mobile Station) FRESH: FRESH: random random number number generated generated by by the the network network and and sent sent to to the the mobile mobile UMTS security 18/61

The MAC function f9 COUNT FRESH MESSAGE DIRECTION 10 0 IK KASUMI IK KASUMI KASUMI IK KASUMI IK MAC-I KASUMI IK 19/61 Ciphering method BEARER LENGTH BEARER LENGTH COUNT-C DIRECTION COUNT-C DIRECTION CK f8 f8 CK f8 f8 KEYSTREAM BLOCK KEYSTREAM BLOCK PLAINTEXT BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Sender (Mobile Station or Radio Network Controller) Receiver (Radio Network Controller or Mobile Station) BEARER: radio radio bearer beareridentifier COUNT-C: ciphering sequence counter counter UMTS security 20/61

The keystream generator f8 COUNT BEARER DIRECTION 0 0 CK KM KASUMI KM: KM: Key Key Modifier Modifier KS: KS: Keystream Keystream Register BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1 CK KASUMI CK KASUMI CK KASUMI CK KASUMI KS[0] KS[63] KS[64] KS[127] UMTS security KS[128] KS[191] 21/61 Details of Kasumi KL i i, KO i i, KI i i : subkeys used at ith round S7, S9: S-boxes L 0 32 KL 1 FL1 R 0 64 32 16 32 16 16 9 7 KO 1, KI 1 FIi1 KO i,1 S9 FO1 KI i,1 Zero-extend KO 2, KI 2 FO2 KL 2 FL2 FIi2 KO i,2 S7 truncate KL 3 FL3 KO 3, KI 3 FO3 KI i,2 KI i,j,1 KI i,j,2 KO 4, KI 4 FO4 KL 4 FL4 FIi3 KO i,3 S9 Zero-extend KI i,3 KL KO 5, KI 5 5 FL5 FO5 KO 6, KI 6 KL 6 FO6 FL6 S7 truncate L 8 KL 7 FL7 KO 8, KI 8 FO8 C KO 7, KI 7 FO7 KL 8 FL8 Fig. 1 : KASUMI R 8 Fig. 2 : FO Function 32 16 16 KL i,1 Fig. 4 : FL Function <<< UMTS security <<< KL i,2 Fig. 3 : FI Function Bitwise AND operation Bitwise OR operation <<< One bit left rotation 22/61

Conclusion on 3GPP security Some improvement with respect to 2 nd generation Cryptographic algorithms are published Integrity of the signalling messages is protected Quite conservative solution Privacy/anonymity of the user not completely protected 2 nd /3 rd generation interoperation will be complicated and might open security breaches UMTS security 23/61 Chapter outline 1.3.3 Bluetooth 24/61

Introduction to WiFi connected scanning on each channel STA association response association request AP beacon - MAC header - timestamp - beacon interval - capability info - SSID (network name) - supported data rates - radio parameters - power slave flags 25/61 Introduction to WiFi AP Internet 26/61

WEP Wired Equivalent Privacy part of the IEEE 802.11 specification goal make the WiFi network at least as secure as a wired LAN (that has no particular protection mechanisms) WEP was never intended to achieve strong security services access control to the network message confidentiality message integrity Wired Equivalent Privacy (WEP) 27/61 WEP Access control before association, the STA needs to authenticate itself to the AP authentication is based on a simple challenge-response protocol: STA AP: authenticate request AP STA: authenticate challenge (r) // r is 128 bits long STA AP: authenticate response (e K (r)) AP STA: authenticate success/failure once authenticated, the STA can send an association request, and the AP will respond with an association response if authentication fails, no association is possible Wired Equivalent Privacy (WEP) 28/61

WEP Message confidentiality and integrity WEP encryption is based on RC4 (a stream cipher developed in 1987 by Ron Rivest for RSA Data Security, Inc.) operation: for each message to be sent: RC4 is initialized with the shared secret (between STA and AP) RC4 produces a pseudo-random byte sequence (key stream) this pseudo-random byte sequence is XORed to the message reception is analogous it is essential that each message is encrypted with a different key stream the RC4 generator is initialized with the shared secret and an IV (initial value) together shared secret is the same for each message 24-bit IV changes for every message WEP integrity protection is based on an encrypted CRC value operation: ICV (integrity check value) is computed and appended to the message the message and the ICV are encrypted together Wired Equivalent Privacy (WEP) 29/61 WEP Message confidentiality and integrity message + ICV IV secret key RC4 RC4 K encode IV message + ICV decode IV secret key RC4 RC4 K K: pseudo-random sequence message + ICV Wired Equivalent Privacy (WEP) 30/61

WEP Keys two kinds of keys are allowed by the standard default key (also called shared key, group key, multicast key, broadcast key, key) key mapping keys (also called individual key, per-station key, unique key) id:x key:abc default key id:x key:def key mapping key id:y key:abc id:y key:ghi id:z key:abc key:abc id:z key:jkl id:x key:def id:y key:ghi id:z key:jkl in practice, often only default keys are supported the default key is manually installed in every STA and the AP each STA uses the same shared secret key in principle, STAs can decrypt each other s messages Wired Equivalent Privacy (WEP) 31/61 WEP Management of default keys the default key is a group key, and group keys need to be changed when a member leaves the group e.g., when someone leaves the company and shouldn t have access to the network anymore it is practically impossible to change the default key in every device simultaneously hence, WEP supports multiple default keys to help the smooth change of keys one of the keys is called the active key the active key is used to encrypt messages any key can be used to decrypt messages the message header contains a key ID that allows the receiver to find out which key should be used to decrypt the message Wired Equivalent Privacy (WEP) 32/61

WEP The key change process time abc* --- abc* --- * active key abc* --- abc* def abc def* --- def* abc def* --- def* --- def* Wired Equivalent Privacy (WEP) 33/61 WEP flaws Authentication and access control authentication is one-way only AP is not authenticated to STA STA is at risk to associate to a rogue AP the same shared secret key is used for authentication and encryption weaknesses in any of the two protocols can be used to break the key no session key is established during authentication access control is not continuous once a STA has authenticated and associated to the AP, an attacker send messages using the MAC address of STA correctly encrypted messages cannot be produced by the attacker, but replay of STA messages is still possible STA can be impersonated next slide Wired Equivalent Privacy (WEP) 34/61

WEP flaws Authentication and access control recall that authentication is based on a challenge-response protocol: AP STA: r STA AP: IV r K where K is a 128 bit RC4 output on IV and the shared secret an attacker can compute r (r K) = K then it can use K to impersonate STA later: AP attacker: r attacker AP: IV r K Wired Equivalent Privacy (WEP) 35/61 WEP flaws Integrity and replay protection There s no replay protection at all IV is not mandated to be incremented after each message The attacker can manipulate messages despite the ICV mechanism and encryption CRC is a linear function wrt to XOR: CRC(X Y) = CRC(X) CRC(Y) - attacker observes (M CRC(M)) K where K is the RC4 output - for any M, the attacker can compute CRC( M) - hence, the attacker can compute: ((M CRC(M)) K) ( M CRC( M)) = ((M M) (CRC(M) CRC( M))) K = ((M M) CRC(M M)) K Wired Equivalent Privacy (WEP) 36/61

WEP flaws Confidentiality IV reuse IV space is too small IV size is only 24 bits there are 16,777,216 possible IVs after around 17 million messages, IVs are reused a busy AP at 11 Mbps is capable for transmitting 700 packets per second IV space is used up in around 7 hours in many implementations IVs are initialized with 0 on startup if several devices are switched on nearly at the same time, they all use the same sequence of IVs if they all use the same default key (which is the common case), then IV collisions are readily available to an attacker weak RC4 keys for some seed values (called weak keys), the beginning of the RC4 output is not really random if a weak key is used, then the first few bytes of the output reveals a lot of information about the key breaking the key is made easier for this reason, crypto experts suggest to always throw away the first 256 bytes of the RC4 output, but WEP doesn t do that due to the use of IVs, eventually a weak key will be used, and the attacker will know that, because the IV is sent in clear WEP encryption can be broken by capturing a few million messages!!! Wired Equivalent Privacy (WEP) 37/61 WEP Lessons learnt 1. Engineering security protocols is difficult One can combine otherwise strong building blocks in a wrong way and obtain an insecure system at the end Example 1: stream ciphers alone are OK challenge-response protocols for entity authentication are OK but they shouldn t be combined Example 2: encrypting a message digest to obtain an ICV is a good principle but it doesn t work if the message digest function is linear wrt to the encryption function Don t do it alone (unless you are a security expert) functional properties can be tested, but security is a non-functional property it is extremely difficult to tell if a system is secure or not Using an expert in the design phase pays out (fixing the system after deployment will be much more expensive) experts will not guarantee that your system is 100% secure but at least they know many pitfalls they know the details of crypto algorithms 2. Avoid the use of WEP (as much as possible) Wired Equivalent Privacy (WEP) 38/61

Overview of 802.11i After the collapse of WEP, IEEE started to develop a new security architecture 802.11i Main novelties in 802.11i wrt to WEP access control model is based on 802.1X flexible authentication framework (based on EAP Extensible Authentication Protocol) authentication can be based on strong protocols (e.g., TLS Transport Layer Security) authentication process results in a shared session key (which prevents session hijacking) different functions (encryption, integrity) use different keys derived from the session key using a one-way function integrity protection is improved encryption function is improved IEEE 802.11i 39/61 Overview of 802.11i 802.11i defines the concept of RSN (Robust Security Network) integrity protection and encryption is based on AES (and not on RC4 anymore) nice solution, but needs new hardware cannot be adopted immediately 802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol) integrity protection is based on Michael (we will skip the details of that) encryption is based on RC4, but WEP s problems have been avoided ugly solution, but runs on old hardware (after software upgrade) Industrial names TKIP WPA (WiFi Protected Access) RSN/AES WPA2 IEEE 802.11i 40/61

802.1X authentication model supplicant sys supplicant supplicant services services port authenticator system controls authenticator authenticator auth server sys authentication authentication server server LAN the supplicant requests access to the services (wants to connect to the network) the authenticator controls access to the services (controls the state of a port) the authentication server authorizes access to the services the supplicant authenticates itself to the authentication server if the authentication is successful, the authentication server instructs the authenticator to switch the port on the authentication server informs the supplicant that access is allowed IEEE 802.11i 41/61 Mapping the 802.1X model to WiFi supplicant mobile device (STA) authenticator access point (AP) authentication server server application running on the AP or on a dedicated machine port logical state implemented in software in the AP one more thing is added to the basic 802.1X model in 802.11i: successful authentication results not only in switching the port on, but also in a session key between the mobile device and the authentication server the session key is sent to the AP in a secure way this assumes a shared key between the AP and the auth server this key is usually set up manually IEEE 802.11i 42/61

Protocols EAP, EAPOL, and RADIUS EAP (Extensible Authentication Protocol) [RFC 3748] carrier protocol designed to transport the messages of real authentication protocols (e.g., TLS) very simple, four types of messages: EAP request carries messages from the supplicant to the authentication server EAP response carries messages from the authentication server to the supplicant EAP success signals successful authentication EAP failure signals authentication failure authenticator doesn t understand what is inside the EAP messages, it recognizes only EAP success and failure EAPOL (EAP over LAN) [802.1X] used to encapsulate EAP messages into LAN protocols (e.g., Ethernet) EAPOL is used to carry EAP messages between the STA and the AP RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] used to carry EAP messages between the AP and the auth server MS-MPPE-Recv-Key attribute is used to transport the session key from the auth server to the AP RADIUS is mandated by WPA and optional for RSN IEEE 802.11i 43/61 EAP in action STA encapsulated in EAPOL AP auth server EAPOL-Start EAP Request (Identity) encapsulated in RADIUS EAP Response (Identity) EAP Response (Identity) embedded auth. protocol EAP Request 1 EAP Request 1 EAP Response 1 EAP Response 1...... EAP Request n EAP Request n EAP Response n EAP Response n EAP Success EAP Success IEEE 802.11i 44/61

Protocols LEAP, EAP-TLS, PEAP, EAP-SIM LEAP (Light EAP) developed by Cisco similar to MS-CHAP extended with session key transport EAP-TLS (TLS over EAP) only the TLS Handshake Protocol is used server and client authentication, generation of master secret TLS maser secret becomes the session key mandated by WPA, optional in RSN PEAP (Protected EAP) phase 1: TLS Handshake without client authentication phase 2: client authentication protected by the secure channel established in phase 1 EAP-SIM extended GSM authentication in WiFi context protocol (simplified) : STA AP: EAP res ID ( IMSI / pseudonym ) STA AP: EAP res ( nonce ) AP: [gets two auth triplets from the mobile operator s AuC] AP STA: EAP req ( 2*RAND MIC 2*Kc {new pseudonym} 2*Kc ) STA AP: EAP res ( 2*SRES ) AP STA: EAP success IEEE 802.11i 45/61 Summary of the protocol architecture TLS TLS (RFC (RFC 2246) 2246) EAP-TLS EAP-TLS (RFC (RFC 2716) 2716) EAP EAP (RFC (RFC 3748) 3748) EAPOL EAPOL (802.1X) (802.1X) 802.11 802.11 EAP EAP over over RADIUS RADIUS (RFC (RFC 3579) 3579) RADIUS RADIUS (RFC (RFC 2865) 2865) TCP/IP TCP/IP 802.3 802.3 or or else else mobile device AP auth server IEEE 802.11i 46/61

Key hierarchies 802.1X authentication random generation in AP PMK (pairwise master key) GMK (group master key) key derivation in STA and AP key derivation in AP PTK (pairwise transient keys): - key encryption key - key integrity key - data encryption key - data integrity key (128 bits each) protection protection GTK (group transient keys): -group encryption key - group integrity key transport to every STA protection unicast message trans. between STA and AP broadcast messages trans. from AP to STAs IEEE 802.11i 47/61 Four-way handshake objective: prove that AP also knows the PMK (result of authentication) exchange random values to be used in the generation of PTK protocol: AP : generate ANonce AP STA : ANonce KeyReplayCtr STA : generate SNonce and compute PTK STA AP : SNonce KeyReplayCtr MIC KIK AP : compute PTK, generate GTK, and verify MIC AP STA : ANonce KeyReplayCtr+1 {GTK} KEK MIC KIK STA : verify MIC and install keys STA AP : KeyReplayCtr+1 MIC KIK AP : verify MIC and install keys MIC KIK : Message Integrity Code (computed by the mobile device using the key-integrity key) KeyReplayCtr: used to prevent replay attacks IEEE 802.11i 48/61

PTK and GTK computation for TKIP PRF-512( PMK, Pairwise key expansion, MAC1 MAC2 Nonce1 Nonce2 ) = = KEK KIK DEK DIK PRF-256( GMK, Group key expansion, MAC GNonce ) = = GEK GIK for AES-CCMP PRF-384( PMK, Pairwise key expansion, MAC1 MAC2 Nonce1 Nonce2 ) = = KEK KIK DE&IK PRF-128( GMK, Group key expansion, MAC GNonce ) = = GE&IK IEEE 802.11i 49/61 TKIP runs on old hardware (supporting RC4), but WEP weaknesses are corrected new message integrity protection mechanism called Michael MIC value is added at SDU level before fragmentation into PDUs implemented in the device driver (in software) use IV as replay counter increase IV length to 48 bits in order to prevent IV reuse per-packet keys to prevent attacks based on weak keys IEEE 802.11i 50/61

TKIP Generating RC4 keys 48 bits IV upper 32 bits lower 16 bits data encryption key from PTK 128 bits key key mix mix (phase (phase 1) 1) MAC address dummy byte key keymix mix (phase (phase 2) 2) IV d IV per-packet key RC4 seed value 3x8 = 24 bits 104 bit IEEE 802.11i 51/61 AES-CCMP CCMP means CTR mode and CBC-MAC integrity protection is based on CBC-MAC (using AES) encryption is based on CTR mode (using AES) CBC-MAC CBC-MAC is computed over the MAC header, CCMP header, and the MPDU (fragmented data) mutable fields are set to zero input is padded with zeros if length is not multiple of 128 (bits) CBC-MAC initial block: flag (8) priority (8) source address (48) packet number (48) data length (16) final 128-bit block of CBC encryption is truncated to (upper) 64 bits to get the CBC- MAC value CTR mode encryption MPDU and CBC-MAC value is encrypted, MAC and CCMP headers are not format of the counter is similar to the CBC-MAC initial block data length is replaced by counter counter is initialized with 1 and incremented after each encrypted block IEEE 802.11i 52/61

Summary on WiFi security security has always been considered important for WiFi early solution was based on WEP seriously flawed not recommended to use the new security standard for WiFi is 802.11i access control model is based on 802.1X flexible authentication based on EAP and upper layer authentication protocols (e.g., TLS, GSM authentication) improved key management TKIP uses RC4 runs on old hardware corrects WEP s flaws mandatory in WPA, optional in RSN (WPA2) AES-CCMP uses AES in CCMP mode (CTR mode and CBC-MAC) needs new hardware that supports AES IEEE 802.11i 53/61 Chapter outline 1.3.3 Bluetooth 54/61

Bluetooth Short-range communications, master-slave principle Eavesdropping is difficult: Frequency hopping Communication is over a few meters only Security issues: Authentication of the devices to each other Confidential channel based on secret link key 1.3.3 Bluetooth 55/61 Bluetooth When two devices communicate for the first time: Set up the temporary initialization key. 1.3.3 Bluetooth 56/61

Bluetooth Setting up the link key: 1.3.3 Bluetooth 57/61 Bluetooth The authentication protocol: 1.3.3 Bluetooth 58/61

Bluetooth Generation of the encryption key and the key stream: 1.3.3 Bluetooth 59/61 Weaknesses The strength of the whole system is based on the strength of the PIN: PIN: 4-digit number, easy to try all 10000 possible values. PIN can be cracked off-line. many devices use the default PIN. For memory-constrained devices: the link key = the longterm unit key of the device. Fixed and unique device addresses: privacy problem. Weaknesses in the E 0 stream cipher. 1.3.3 Bluetooth 60/61

Conclusion Security issues of wireless networks: wireless channel: easy to eavesdrop on, jam, overuse Users: usually mobile Classical requirements: authentication, confidentiality, integrity, availability Location privacy: unique to mobile networks. Mobile devices: Limited resources Lack of physical protection roaming of users across different networks 61/61

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information