Advanced Security and Mobile Networks W.Buchanan (1)bill/asmn/unit07_wireless.pdf · sources using...
59
W.Buchanan (1) Unit 7: Wireless Advanced Security and Mobile Networks
Transcript of Advanced Security and Mobile Networks W.Buchanan (1)bill/asmn/unit07_wireless.pdf · sources using...
W.Buchanan (1)
Uni
t 7: W
irele
ss
Advanced Security and Mobile Networks
W.Buchanan (2)
Uni
t 7: W
irele
ss
Unit 7: Mobile Networks.• Wireless.• Security.• Mobile IP.• Mobile Agents.• Spread spectrum.• Military/Emergency Networks
8. Ad-hoc
9. GSM/3G
7. Mobile Networks
Security Elements
W.Buchanan (3)
Uni
t 7: W
irele
ss
• Mobile phone technology. This integrates with the GSM network.
• Wireless (IEEE 802.11). This normally integrated with a fixed network.
• Bluetooth. This normally allows networking between non-computer-type devices, such as mobile phones, hi-fi’s, and so on.
• Infra-red. This technology is too slow and has a limited range for most applications.
• Line-of-sight optics. This allows for easy connections between buildings, and involves a laser directing it beam to a receiver. It is typically used around cities and gives speeds of several Gbps.
Wireless connections … which technology?
W.Buchanan (4)
Uni
t 7: W
irele
ss
• IEEE 802.11a. 802.11a deals with communications available in the 5GHz frequency, and has a maximum data rate of 54 Mbps.
• IEEE 802.11b. 802.11b, or Wi-Fi, is the standard that is most commonly used in wireless LAN communications. It has a maximum bandwidth of 11Mbps, at a frequency of 2.4GHz.
• IEEE 802.11c. 802.11c is a group set up to deal with bridging operations when developing access points.
• IEEE 802.11f. 802.11f is concerned with standardising access point roaming.which is involved in making sure that interoperability between access points is guaranteed.
• IEEE 802.11g (Proposed). 802.11g is a proposed standard that hopes to provide 54Mbps maximum bandwidth over a 2.4GHz connection, the same frequency as the popular 802.11b standard.
IEEE 802.11 - Wireless
W.Buchanan (5)
Uni
t 7: W
irele
ss
Operating Channels:11 for N. America, 14 Japan, 13 Europe (ETSI), 2 Spain, 4 FranceOperating Frequency:2.412-2.462 GHz (North America), 2.412-2.484 GHz (Japan), 2.412-2.472
GHz (Europe ETSI), 2.457-2.462 GHz (Spain), 2.457-2.472 GHz (France)
Data Rate:1, 2, 5.5 or 11MbpsMedia Access Protocol:CSMA/CA, 802.11 CompliantRange:11Mbps: 140m (460 feet)5.5Mbps: 200m (656 feet)2Mbps: 270m (885 feet)1Mbps: 400m (1311 feet)RF Technology:Direct Sequence Spread Spectrum Modulation:CCK (11Mps, 5.5Mbps), DQPSK (2Mbps), DBPSK (1Mbps)
IEEE 802.11b
W.Buchanan (6)
Uni
t 7: W
irele
ss
A wireless access point (AP) allowseveral wireless clients to connectto a single device.
Wireless access point
W.Buchanan (7)
Uni
t 7: W
irele
ss
Wireless (IEEE 802.11b)Connection.
And possibly a Bluetoothconnection
Wireless adaptor
W.Buchanan (8)
Uni
t 7: W
irele
ss
IEEE 802.11b settings
W.Buchanan (9)
Uni
t 7: W
irele
ss
Server
Access point
LAN01
LAN02
Access point
Ethernet backbone
Infrastructure network
W.Buchanan (10)
Uni
t 7: W
irele
ss
SSID = group 1
SSID = group 1
SSID = group 1
SSID = group 1Access point
Ethernet
SSID = group 1
SSID = group 1
SSID = group 1
SSID = group 1Access point
Ethernet
SSID
W.Buchanan (11)
Uni
t 7: W
irele
ss Channel is identical such as channel = 3
Ad-hoc wireless LAN 1 Ad-hoc wireless LAN 2
Channel = 5Channel is identical such as channel = 3
Ad-hoc wireless LAN 1 Ad-hoc wireless LAN 2
Channel = 5
Ad-hoc network
W.Buchanan (12)
Uni
t 7: W
irele
ss
L
Ad-hocRadius of coverage =2L
Access point
L L
Infrastructure
Span of network
W.Buchanan (13)
Uni
t 7: W
irele
ss
• Military and rescue operations• Battlefield• Evacuation of a building on fire
• Terrorism & Rescue Operations• Hospitals
• Retrieve patient’s information from hospital’s database while in surgery
• Conference meetings• Share information quickly• Schedule meetings
• Networking while on the road• Inter-vehicle communication
Applications of Ad-hoc networks
W.Buchanan (14)
Uni
t 7: W
irele
ss
• Authentication algorithm. This sets whether the adapter uses an open system (where other nodes can listen to the communications), or uses encryption (using either a WEP key, or a shared key).
• Channel. If an ad-hoc network is used, then the nodes which communicate must use the same channel.
• Fragmentation threshold. This can be used to split large data frames into smaller fragments. The value can range from 64 to 1500 bytes. This is used to improve the efficiency when there is a high amount of traffic on the wireless network, as smaller frames make more efficient usage of the network.
• Network type. This can either be set to an infrastructure network (which use access points, or wireless hubs) or Ad-hoc, which allows nodes to interconnect without the need for an access point.
Network settings
W.Buchanan (15)
Uni
t 7: W
irele
ss
• Preamble mode. This can either be set to Long (which is the default) or short. A long preamble allows for interoperatively with 1Mbps and 2Mbps DSSS specifications. The shorter allows for faster operations (as the preamble is kept to a minimum) and can be used where thetransmission parameters must be maximized, and that there are nointeroperatablity problems.
• RTS/CTS threshold. The RTS Threshold prevents the Hidden Nodeproblem, where two wireless nodes are within range of the same access point, but are not within range of each other. As they do not know that they both exist on the network, they may try to communicate with the access point at the same time. When they do, their dataframes may collide when arriving simultaneously at the Access Point, which causes a loss of data frames from the nodes. The RTS threshold tries to overcome this by enabling the handshaking signals of Ready To Send (RTS) and Clear To Send (CTS). When a node wishes to communicate with the access point it sends a RTS signal to the access point. Once the access point defines that it can then communicate, the access point sends a CTS message. The node can then send its data.
Network settings (cont.)
W.Buchanan (16)
Uni
t 7: W
irele
ss
• Multipath radio wave propagation. Radio wave propagate outwards in all directions, and will thus hit obstacles, which causes multiple paths for the radio wave. These waves thus add/subtract to signal, and can cause distortion on the wave.
• Radio data frames collide. Two or more radio devices can be transmitting a data frame at the same time using the same radio frequency. The data frames may thus collide and cause errors in the data frames.
• Out-of-range threshold. Wireless devices which are at the boundary of the wireless domain can suffer from problems with signal strength as the data frames is being transmitted. This will typically occur when a device is moving around the threshold of the domain, as weak signal strengths are more affected by noise than strong ones.
• Noisy environment. Many types of electrical equipment can generate high-frequency radio waves, which might interfere with the transmitted data frame.
Problems with wireless environments
W.Buchanan (17)
Uni
t 7: W
irele
ss
Multiple paths for the wireless signal
W.Buchanan (18)
Uni
t 7: W
irele
ss
IEEE 802.11 can use two mechanisms for shared access:
• CSMA/CA. CSMA/CA is, like standard Ethernet (IEEE 802.3) a contention-based protocol, but uses collision avoidance rather than collision detection. It would be impossible to use collision detection as a radio wave is always either sending or receiving and can never do both at the same time. The nodes will thus not be able to listen on the channel while they are transmitting.
• Point Coordination Function (PCF). This is an optional priority-based protocol, which provides contention-free frame transfer for transmission of time-critical data, such as real-time video or audio. With this, the point coordinator (PC) operates in the wireless access point andidentifies the devices which are allowed to transmit at any given time. Each PC then, with the contention-free (CF) period, the PC polls each of the enabled PCF to determine if they wish to transmit data frames. No other device is allowed to transmit while a another node is being polled. Thus, PCF will be contention-free and enables devices to transmit data frames synchronously, with defined time delays between data frame transmissions.
CSMA/CA and PCF
W.Buchanan (19)
Uni
t 7: W
irele
ss
1
Listen for no activity
ACK
2
2
ACK time-out
• Node has gone.• Data frame has collided with another
• Data frame corrupted with noise.
CSMA/CD
W.Buchanan (20)
Uni
t 7: W
irele
ss
Framecontrol
Duration/ID
Address1
Address2
Address3
Sequencecontrol
Address4
Framebody FCS
2 Bytes 2 6 6 6 2 6 0-2312 4
· Frame control. This contains control information.· Duration/ID. This contains information on how long the data frame will last.· Address fields. This contains different types of address, such as an individual address of group addresses. The two main types of group addresses are broadcast and multicast.· Sequence control. This identifies the sequence number of the data frames, and allows the recipient to check for missing or duplicate data frames.· Frame body. This part contains the actual data. The maximum amount is 2312 bytes, but most implementations use up to 1500 bytes.FCS (Frame Check Sequence). This is a strong error detection code.
IEEE 802.11 data frame
W.Buchanan (21)
Uni
t 7: W
irele
ss
• To avoid interference in the band, radio LANs (RLANs) use either Frequency Hopping or Direct Sequence Spread Spectrum techniques (FHSS & DSSS). These two methods avoid or lower the potential for interference within the band as shown in the next slide. Spread spectrum technologies work by spreading the actual signal over a wider bandwidth for transmission. Using these methods provides resilience from narrow band interference and also reduces interference to other sources using the ISM band.
• Frequency Hopping Spread Spectrum technology works by splitting the ISM band into 79 1MHz channels. Data is transmitted in a sequence over the available channels, spreading the signal across the band according to a hopping pattern, which has been determined between the wireless devices. Each channel can only be occupied for a limited period of time before the system has to hop.
Spread Spectrum and Frequency Hopping
W.Buchanan (22)
Uni
t 7: W
irele
ss
Military systems have been using Spread Spectrumand Frequency Hopping for many years. This is to:
• Avoid jamming on a certain channel.• Avoid noise on a certain channel.• Confuse the enemy as the transmitting frequency moves in a way that only the sender and receiver known. Imagine having to move the dial of your radio receiver, each minute to a certain frequency in a give way. Such as Radio 1 is broadcast on 909MHz from 12:00, then 915MHz until 12:01, then 900MHz unit 12:02, and so on.
Spread Spectrum and Frequency Hopping
W.Buchanan (23)
Uni
t 7: W
irele
ss
FHSS
2400MHz 2483.5MHzCH2 -22MHz
Ch74 Ch75Ch03Ch02Ch01
1MHz
CH1 - 22MHz CH7 - 22MHz CH13 - 22MHz
DSSS
Nonoverlappingchannels
W.Buchanan (24)
Uni
t 7: W
irele
ss
IEEE 802.11 Security
Access Control
W.Buchanan (25)
Uni
t 7: W
irele
ss Wireless networkscan be easily jammedby transmitting jammingsignals on frequenciesaround the 2.4GHz.
2.4GHz 2.48GHz
Not recommendedfor battlefieldconditions
Interference and Jamming
W.Buchanan (26)
Uni
t 7: W
irele
ss
F
Wireless Intrusion
PublicFTPserver
De-MilitarizedZone (DMZ)
N
FF
F
Externaldevicegets behindthe firewall
W.Buchanan (27)
Uni
t 7: W
irele
ss
F PublicFTPserver
Wireless Access is Untrusted
De-MilitarizedZone (DMZ)
N
FF
F
All wirelessconnectionsare untrusted
W.Buchanan (28)
Uni
t 7: W
irele
ss
Connect?Download
Deprivation ofservice attack
DoS attack
DoS and Deprivation of Service Attack
W.Buchanan (29)
Uni
t 7: W
irele
ss
Spoofing
The client spoofs its MAC addresses to gain an IP address. MAC addresses cannot be used to authenticate nodes, as MAC addresses can be setup in some network cards
Spoofdevice
Correctdevice
Devices connect to the spoof device.
W.Buchanan (30)
Uni
t 7: W
irele
ss
Wireless Security
Wireless Security StandardsIPSec standardsfor VPN’s
- Limited to IP- Required for public access systems.
Encryption Authentication
EAPS - Extensible Authentication Protocol
LEAP - Lightweight EAP
EAP-TLS - EAP -Transport Layer Security
EAP-TTLS - Tunnelled TLS
PEAP - Protected EAP
WEP - Wireless Encryption Protocol
WPA - Wireless Protected Access
IEEE 802.11i
Disaster area for wireless access
Wireless Security
W.Buchanan (31)
Uni
t 7: W
irele
ss
WEP Wired Equivalent PrivacyAka Weak Encryption Protocol
Access Control
W.Buchanan (32)
Uni
t 7: W
irele
ss
Generating the WEP key
WEP encryption key reduces eavesdropping
It stops unauthorized access to a Wireless Access Point (alongwith the SSID, of course)
40-bitKeys(24 bitsfor IV)
104-bitKeys(24 bitsfor IV)
napier01
Generate key
No standard exists todefine how the WEPkey is created
W.Buchanan (33)
Uni
t 7: W
irele
ss
Same key is used for all nodes. Thus an eavesdropper can eventually gain the key
Initialization Vector Encryption Key
24 bits 40 bits
This key is used for encryptionof all the data in the domain
W.Buchanan (34)
Uni
t 7: W
irele
ss
WEP uses a stream cipher based on the RC4 algorithm.
- Expands a short key into an infinite pseudo-random key.
ReceiverSender Same shared key is used
Short-keyShort-key
Infinite pseudo-random keyInfinite pseudo-random key
10100101000101010101. . .
01111010100101000101. . .
1101111110000001000. . .
X-OR
Short-keyShort-key
1101111110000001000. . .
01111010100101000101. . .
Infinite pseudo-random keyInfinite pseudo-random key
X-OR
10100101000101010101. . .
Data stream:
W.Buchanan (35)
Uni
t 7: W
irele
ss
EavesdropperEavesdropper
Short-keyShort-key
Infinite pseudo-random keyInfinite pseudo-random key
10100101000101010101. . .
‘A’ ‘B’
100000010000101010. . .
X-OR10100101000101010101. . .
‘C’ ‘D’
1101111110000001000. . .
X-OR
Eavesdroppercan detect the keyif it can read to streamsencoded with the samekey
WEP - Possible Problem? Statistical Analysis
W.Buchanan (36)
Uni
t 7: W
irele
ss
Short-keyShort-key
Infinite pseudo-random keyInfinite pseudo-random key
10100101000101010101. . .
‘A’ ‘B’
1101111110000001000. . .
X-OR
Short-keyShort-key
1101111111000001000. .
01111010100101000101. . .
Infinite pseudo-random keyInfinite pseudo-random key
X-OR
‘A’ ‘C’
Man-in-the-middleMan-in-
the-middle1101111111000001000. . .
Man-in-the-middle can flip a few bits and change the text. Letters can thus bechanged.
WEP - Possible Problem? Man-in-the-Middle
W.Buchanan (37)
Uni
t 7: W
irele
ss
WEP guards against these attacks with:
An Initialization Vector (IV). This is a secret key which varies the key for every data packet.An Integrity Checker (IC). This is a 32-bit CRC (Cyclic Redundancy Check). If bits are flipped, it will not give the same CRC value. Thus an error is caused.
Unfortunately both methods have not been implemented properly!!! Which leads to lots of problems.
IV and IC
W.Buchanan (38)
Uni
t 7: W
irele
ss
01010101 10101010 01010101 0101010111010101 10101010 01010101 0101011101010101 10111010 01010101 01110111
01010101 10101110 01010101 0101010111010101 10101110 01010101 0101011101010101 10111010 01010101 01110111
Bits are flippedover consecutivebit positions, so thatthe overall CRCstays the same.
Weakness of the Integrity Checker
W.Buchanan (39)
Uni
t 7: W
irele
ss
The IV is a 24-bit value, which is sent as cleartext.
There can only be 224 vectors (16,777,216)
If we use 1500 byte packets, the time to send each packet is 1500×8/11e6 = 1.1ms
Thus, if the device is continually sending thesame vector will repeat after:
1.1ms × 16,777,216 = 18,302.4 seconds
which is 5 hours The attacker thentakes the two cipertextswhich have been encryptedwith the same key, and performsa statistical analysis on it.
W.Buchanan (40)
Uni
t 7: W
irele
ss
IV=“Dah&*43+=f” Cipertext1
Passive Attack to Decrypt Traffic
Eavesdropper listensfor at least five hoursand waits for a recurrenceof the IV
IV=“Dah&*43+=f” Cipertext2
IV=“Dah&*43+=g” Cipertext
Cipertext1X-OR
16,777,214 IV’s Cipertext2
Some network cards actually initial at zero, and thenincrement by 1 each time (in fact the standard does noteven specify that the IV should change, at all.
W.Buchanan (41)
Uni
t 7: W
irele
ss
Plaintext
Corresponding cipertext
If eavesdropper knows part of the plaintext for a corresponding cipertextit is possible to build a correctly encryptedcipertext
Encrypted text CRC-32
By performing bit flips it is possibleto change the characters in the plain-textso that the CRC-32 stays the same.
Modified Plaintext
Active Attack to Inject Traffic
W.Buchanan (42)
Uni
t 7: W
irele
ss
Known IP/TCP headers
Corresponding cipertext
Active Attack from Both Ends
The eavesdropper can expand the methodso that they can examine for know IP and TCPheaders.
By performing bit flips it is possibleto change the characters in the plain-textso that the CRC-32 stays the same.
Modified IP/TCP header
Message
Cipertext
Modified IP/TCP header CRC-32Message
By flipping bits on the IP address, the eavesdropper can send all data packets to their machine.
W.Buchanan (43)
Uni
t 7: W
irele
ss
Plaintext Cipertext
IV=0IV=1IV=2
Hello How %4£$”9h-=+
Table-based
IV= 16,777,214
IV=16,777,215
76504fgh==5%6$”79h-
The eavesdropper can now decrypt all the datapackets with the IV ofzero. Over time others can be learnt.
Avbdc=+34d%£$”9h-4=+
Eavesdropper stores a table of known keys foreach IV (15GB)
W.Buchanan (44)
Uni
t 7: W
irele
ss
Only with this WEPalso allows for authentication using a secret key (sharedkey) or an opensystem.
W.Buchanan (45)
Uni
t 7: W
irele
ss
Private-key
Request forauthentication
Challenge textsent to client
Opensystem
Any node canjoin and there isno encryption or authentication
Encryptedtext
If correctlyencryptedthe device can connect
W.Buchanan (46)
Uni
t 7: W
irele
ss
EAPEfficient Application Protocols
Access Control
W.Buchanan (47)
Uni
t 7: W
irele
ss
EAP provides centralized authentication and dynamic key distribution.
It has been developed by the IEEE 802.11i Task Group as an end-to-end framework and uses 802.1X and EAP.
This is:
- Authentication. This is of both the client and the authentication server (suchas a RADIUS server).- Encryption keys. These are dynamically created after authentication. They are not common to the whole network.- Centralized policy control. A session time-out generates a reauthenticationand the generation of new encryption keys.
A wireless client cannot gain access to the network, unless it has been authenticated by the access point or a RADIUS server, and has encryption keys.
EAP - Efficient Application Protocols
W.Buchanan (48)
Uni
t 7: W
irele
ss
There are many versions of EAP, including:
• LEAP - Lightweight EAP• EAP-TLS - EAP-Transport Layer Security • PEAP - Protected EAP (PEAP)• EAP-TTLS - EAP-Tunnelled TLS • EAP-SIM - EAP-Subscriber Identity Module
W.Buchanan (49)
Uni
t 7: W
irele
ss
CorporatenetworkCorporatenetwork
Device cannotaccess networkuntil it has beenauthenticated andhas encryption keys
RADIUSserver
Userdatabase
EAPs can either be in the access point or from a RADIUS server
EAPs
W.Buchanan (50)
Uni
t 7: W
irele
ss
1. Client associates with the access point.2. Client provides authentication details.3. RADIUS server authenticates the user.4. User authenticates the RADIUS server.5. Client and RADIUS server derive unicast WEP key.6. RADIUS server gives broadcast WEP key to access point.7. Access point sends broadcast WEP key to client using unicast WEP key.
CorporatenetworkCorporatenetwork
RADIUSserver
Userdatabase
EAPs
W.Buchanan (51)
Uni
t 7: W
irele
ss
CorporatenetworkCorporatenetwork
Client details:
User ID and password.
Or
User ID and digital certificate
Or
On-time passwords
RADIUSserver
Userdatabase
EAPs
W.Buchanan (52)
Uni
t 7: W
irele
ss
CorporatenetworkCorporatenetwork
User Authentication: User ID and digital certificateKey size: 128 bitsEncryption: RC4Device Authentication: CertificateOpen Standard: YesUser differentiation: GroupCertificate: RADIUS server/WLAN client
RADIUSserver/certificateserverUser
database
EAP-TLS
W.Buchanan (53)
Uni
t 7: W
irele
ss
LEAPs
CorporatenetworkCorporatenetwork
User Authentication: User ID and passwordKey size: 128 bitsEncryption: RC4Device Authentication: Not SupportedOpen Standard: No (Cisco-derived)User differentiation: GroupCertificate: None
LEAPs is open toattack from a dictionary attack.Use strong passwords!!!
RADIUSserver
Userdatabase
W.Buchanan (54)
Uni
t 7: W
irele
ss
CorporatenetworkCorporatenetwork
User Authentication: User ID and password or OTP (one-time password)Key size: 128 bitsEncryption: RC4Device Authentication: Not supportedOpen Standard: YesUser differentiation: GroupCertificate: Yes
RADIUSserver
Userdatabase
EAP - PEAPs
W.Buchanan (55)
Uni
t 7: W
irele
ss
User 801.11x to focusauthentication of the connectingdevice.
PEAPs
W.Buchanan (56)
Uni
t 7: W
irele
ss
Along with EAPs, the new enhancements for WLAN are:
TKIP (Temporal Key Integrity Protocol) which are enhancements to RC4-based WEP. The IV has been increased to 48 bits (rather that 24 bits), and the Integrety Checker has been improved.AES, which is a stronger alternative to RC4.
WPA (Wi-fi
ProtectedAccess)
WPA (Wi-fi
ProtectedAccess)
IEEE 802.11i
IEEE 802.11x(Authentication of both client and access point)
W.Buchanan (57)
Uni
t 7: W
irele
ss
Good Design Principles
Access Control
W.Buchanan (58)
Uni
t 7: W
irele
ss
Some Design Tips
10. Layer 2/3 switch 5. RADIUS or TACACS+
Server for centralizedauthentication
F
2. Client supportsEAPs.
4. DCHP forall IP addresses
SNMP
3. Encryptionenabled
9. Management trafficisolated
6. PKI server which providesdigital certificatesfor users andservers.
8. No physicalaccess to access point
7. SNMP community stronghave strong names
1. No ad-hocnetworks 8. Secure protocols, such as SSH using instead
of Telnet (as plaintext passwords can be viewed withTelnet)
W.Buchanan (59)
Uni
t 7: W
irele
ss
