Chapter 1 The security of existing wireless networks a.Security of cellular networks b.WiFi...
-
Upload
debra-arnold -
Category
Documents
-
view
226 -
download
1
Transcript of Chapter 1 The security of existing wireless networks a.Security of cellular networks b.WiFi...
Chapter 1 The security of existing wireless
networks
a.Security of cellular networks b.WiFi Security: WEP, WPA, and WPA2
Security and Cooperation in Wireless Networks
Levente Buttyan and Jean-Pierre Hubaux
[--Note: L. Lilien made changes to improve clarity and formatting of slides, including:(1) adding more levels for prioritization of text,(2) changing font to larger size for most slides,(3) splitting many slides into 2 or more slides (necessary due to the above changes)(4) adding emphasis by changing font color to blue(5) removing words that are superfluous in slides(6) improving consistency of slides and the textbook
Modifications are © 2007-2009 by Leszek T. Lilien. Requests to use L. Lilien’s slides for non-profit purposes will be gladly granted upon a written request.--]
2
Why is security more of a concern in wireless?
No inherent physical protection– Physical connections between devices are
replaced by logical associations– Don’t need physical access to the network
infrastructure (cables, hubs, routers, etc.) for xmitting messages
Wireless broadcast transmissions /communications– Usually, wireless = radio => a broadcast nature– Can be overheard by anyone in range– Anyone can transmit
• Received by other devices in range• Interferes with other nearby transmissions
– Jamming may prevent correct reception
3
Security vulnerabilities for wireless networkseavesdropping is easymessages can be altered or bogus messsages
injected by an attacker (it is an example of an active attack)
easier to impersonate (= to cheat on identities)
replaying previously recorded messages is easy
illegitimate access to the network and its services is easy
denial of service (DoS) is easily achieved by jamming
4
Security requirements for wireless communication
Recall: classic CIA security requirements– CIA = confidentiality + integrity + availability– Req’s below include CIA (in a different order)
------------------------------------------- authentication
– origin of received messages must be verified
access control– limit access to network services to legitimate
entities only – need permanent access control
• checking the legitimacy of an entity only when it joins the network (and its logical associations are established) is not sufficient
– bec. logical associations can be hijacked
confidentiality– messages must be encrypted
5
Security requirements for wireless communication (2)
integrity– malicious modification of messages is possible
• Even if modifying on-the-fly (during radio transmission) is not so easy
– integrity of received messages must be verified
privacy– incl. location privacy
• do not reveal the location of the user, nor the party with which she communicates
– law enforcement agencies must have access to these two pieces of info
non-repudiation– e.g., prevent possibility that a user, after getting
a message/service, pretends that she did not
6
Security requirements for wireless communication (3)
availability– in particular, guarantee a fair share of the radio
resource• e.g., for all mobile users located in the same radio
domain– provide higher priority for more important
communications• e.g., an emergency call from a cellular phone
other security req’s:– replay detection
• freshness of received messages must be checked– protection against jamming
Securing wireless networksa. Security of cellular networks
Security in European cellular nets (similar in US cell nets)
- in GSM (Global System for Mobile Communications)
- A European 2G (2-nd generation) cellular network
- in UMTS (Universal Mobile Telecommunications System)
- A European 3G (3-rd generation) cellular network
7
REFRESHER SLIDES (quick presentation till Slide 23)
Introduction To Cellular Systems(see L. Lilien’s Section 1 and Section 9 slides for
CS6910: Pervasive Computing – S’07)
Cincinnati, OH
Washington, DC
[LTL:] User moves but phone # unchanged
Maintaining the telephone number across geographical areas in a wireless and mobile system 8
1G - First Generation – Primarily for voice communication– Using FDM (frequency division multiplexing)
2G - Second Generation– Emphasis still on voice communication but allows for…– … Data communication – Using TDM (time division multiplexing)– Indoor/outdoor and vehicular environment
3G - Third Generation– Integrated voice, data, and multimedia communication– Need for:
• High volume of traffic / Real time data communication• Flexibility, incl.
– Frequent Internet access– Multimedia data transfer
• Compatibility with 2G– Using compression
• Without compromising quality
© 2007 by Leszek T. Lilien
Generations of Wireless Systems & Services
9
Future: 4G
4G– Expected to implement all standards from 2G
& 3G– Infrastructure only packet-based, all-IP– Some of the standards paving the way for 4G:
• WiMax• WiBro (Korean)• 3GPP Long Term Evolution
– Improves the UMTS mobile phone standard (Europe)
• Work-in-progress technologies
– E.g., HSOPA, a part of 3GPP Long Term Evolution
© 2007 by Leszek T. Lilien10
Coverage Aspect of Next Generation Mobile Communication Systems
Picocell Microcell Macrocell Global
Urban
Suburban
Global
Satellite
In-Building
11
Fundamentals of Cellular Systems
Illustration of a cell with a mobile station (MS) and a base station (BS)
BS
MS
Cell
Hexagonal cell area used in most models
Service area- Ideal cell area (2-10 km radius)
(circle)
Alterative shape of a cell
(square)
MS
[LTL:]
Cell shapes (above) Actually, cell may have a zigzag shape Hexagon is a good approximation in practice
Also, gives non-overlapping cells (used by clever bees for beehives)
E.g., circles would either overlap, or would have gaps in between12
Home phone
PSTN
MSC
BSC …
BS
…
…
MS
…
BS MS
BSC
BS MS
…
BS MS
BSC
BS MS
…
BS MS
BSC
BS MS
…
BS MS
MSC
MS, BS, BSC, MSC, and PSTN
[LTL:] Several BSs connected via wireline links to one BSC (BS controller) Several BSCs connected via wireline links to one MSC (Mobile
Switching Center) Several MSCs interconnected via wireline links to PSTN (Public
Switched Telephone Network) and the ATM backbone
wired links
13
BS consists of– Base Tranceiver System (BTS)
• Includes tower & antenna
– BSC• Contains all associated electronics
© 2007 by Leszek T. Lilien
BS Structure
14
MSC database for supporting MS mobility1) Home location register (HLR) for MS
• Located at the “home MSC” for MS– Where MS is registered, billed, etc.
• Indicates current location of MS– Could be within home MSC’s areaOR– Could be in the area of any MSC in the world
2) Visitor location register (VLR) on each MSC• Contains info on all MSs visiting area of this MSC
Incoming call scenario– Based on the called #, incoming call for an MS is
directed to the HLR of the “home MSC” for this MS– HLR redirects the call to MSC/BSC/BS where the MS
is now– VLR of the “current MSC” has info on MS (one of
visiting MSs)© 2007 by Leszek T. Lilien
MSC Database Supporting MS Mobility & Incoming Call Scenario
15
Control and Traffic Channels
Base Station
Forward
(downlin
k) contro
l channel
Mobile Station
Reverse (
uplink) c
ontrol c
hannel
Forward
(downlin
k) traff
ic channel
Reverse (
uplink) tr
affic
channel
Note: Forward/reverse in the U.S., downlink/uplink elsewhere
[LTL:]
4 simplex channels needed for control & traffic 2 control channels
Exchange control msgs Forward channel & reverse channel
2 traffic channels For data Forward channel & reverse channel
16
Steps for a Call Setup from MS to BS
BS MS
1. Need to establish path
2. Frequency/time slot/code assigned
(FDMA/TDMA/CDMA)
3. Control information acknowledgement
4. Start communic. on assigned traffic channel
[LTL:]
Steps for a call setup from MS to BS - When MS initiates a call
Tim
e
17
Steps for a Call Setup from BS to MS
BS MS
2. Ready to establish a path
3. Use frequency / time slot / code
(FDMA/TDMA/CDMA)
4. Ready for communication
5. Start communic on assigned traffic channel
1. Call for MS # pending
[LTL:]
Steps for a call setup from BS to MS: When MS responds to a call (another MS calls this MS)
Tim
e
18
9.2. Cellular System Infrastructure – cont. 1 The infrastructure in more detail1) Discussed in Sec. 1 (“Pervasive Computing”):
BTS = base transceiver system (tower + antenna)(tranceiver = transmitter +
receiver) BSC = BS controller (all electronics controlling BTSs, even
k*100 BTSs) BS = base station = BTS + BSC
NOTE: We sometimes omit mentioning BTS, as if BTS + BSC were co-located & were an integrated BSSometimes (as in the previous Figure) BTS is denoted as “BS”
HLR = home location register
VLR = visitor home location register
2) Not discussed yet: AUC = authentication
center EIR = equipment
identity register
(Modified by LTL)
HLR and VLR used in a way analogous to mail forwarding by the U.S. Postal Service - fig. above
(pp. 190/- 192)
9.2. Cellular System Infrastructure – cont. 3
(Modified by LTL)
20
Unlike in the USPS example, in cellular need not only forward link (home MSC -> visiting MSC) Need also a backward link (visiting MSC -> home MSC ) – see fig. below for the bi-directional link
Backward link needed for, e.g.: Billing - done only by home MSC (mobile switching
center) Look at the list of access specifications – kept by home MSC
Is MS active or not (e.g., delayed payment) Local calls only or long distance calls allowed or both Listing of calls made Listing of charges
9.2. Cellular System Infrastructure – cont. 4
(Modified by LTL)
21
The end of the “Introduction to Cellular Systems”
22
23
GSM Security: The SIM card (Subscriber Identity Module)
Security req’s for SIMs (SIMs implemented as smart cards)
– Tamper-resistance– Protected by a PIN code (checked locally by the SIM)
– Removable from the terminal– Contains all end-user-specific data required in the
Mobile Station:• IMSI: International Mobile Subscriber Identity (permanent
user’s identity)
• PIN• TMSI (Temporary Mobile Subscriber Identity)• Ki : User’s secret key • Kc : Ciphering key • List of the most recent call attempts• List of preferred operators• Supplementary service data (abbreviated dialing, last
short messages received,...)
24
Authentication principle of GSM* Uses challenge-response principle + Subscriber (her SIM card) receives a random # (RAND) as a challenge + 2 B authenticated, subscriber (SIM) must compute a correct response - Computed from the challenge (RAND) and long-term secret key (K)
- K known only to Subsciber (her SIM) and the operator- RAND ensures freshness of response (w/o RAND, attacker could use old
response)
For more interesting case, consider auth’g subscriber in visited network (not in home network) – see Fig. 1.1PRNG – (program-mable) RAND # generatorA3, A8 – algorithms from GSM specsSRES – correct response to the challengeCK – encr. key for mobile-to-visited net CommunicationSRES’ – response to chall. fr. mobile
25
Authentication principle of GSM (2)
* Notes: VN = visited network, HN = home network+ VN authenticates subscriber w/o knowing K (long term key)
- Knows CK (encr. key for mobile-to-visited net communications) - VN needs not consult HN
+ HN needs not be contacted by VN each time subscriber must be authenticated
- Bec. HN can send a few triplets (RAND, SRES, CK) each time it is contacted by VN
+ Subscriber identity hidden from eavesdroppers by using TMSI
- IMSI used for 1st authentication- TMSI assigned to Subscriber by VN after 1st successful authentication
- Encrypted with CK- Mobile uses TMSI to communicate w/ VN
+ When Subscriber moves to VN2 (another VN),:- VN2 contacts VN1- VN1 sends TMSI to VN2
26
SKIP-Authentication principle of GSM (original sl.)
Mobile Station Visited network Home network
IMSI/TMSI
IMSI (or TMSI)A8 A3A8 A3
Ki R
KcS
IMSI
Triplets (Kc, R, S)
TripletsAuthenticate (R)
A8 A3A8 A3
Ki R
KcS’ Auth-ack(S’)
S=S’?S=S’?
27
SKIP-Cryptographic algorithms of GSM
R Ki
A3A3 A8A8
R S Kc Triplet
Random number User’s secret key
A5A5 Ciphering algorithm Authentication
Kc: ciphering keyS : signed resultA3: subscriber authentication (operator-dependent algorithm)A5: ciphering/deciphering (standardized algorithm)A8: cipher generation (operator-dependent algorithm)
Kc: ciphering keyS : signed resultA3: subscriber authentication (operator-dependent algorithm)A5: ciphering/deciphering (standardized algorithm)A8: cipher generation (operator-dependent algorithm)
28
Ciphering in GSM
A5A5
CIPHERINGSEQUENCE
PLAINTEXTSEQUENCE
Kc FRAME NUMBER
Sender(MS or Network)
Receiver(Network or MS)
CIPHERTEXTSEQUENCE
A5A5
CIPHERINGSEQUENCE
Kc FRAME NUMBER
PLAINTEXTSEQUENCE
Kc = ciphering keyA5 = ciphering/deciphering (standardized algorithm)
29
Conclusion on GSM security
Security services provided by GSM security architecture:– Focus on the protection of the air interface
• No protection on the wired part of the network– Neither for privacy nor for confidentiality
– Allow the visited network access to almost all data
• Except the secret key of the end user
– Generally robust…– … but a few successful attacks have been
reported:• faking base stations • cloning SIM card
30
UMTS Security Architecture (1a)
Motivation and goals– New kind of service providers
• content providers, HLR only service providers,…– HLR = Home Location Register
– Increased control for users over their service profiles
– Enhanced resistance to active attacks– Increased importance of non-voice services– Reuse GSM (2G) security principles– …
31
UMTS Security Architecture (1b)
Reusing GSM security principles (for GSM):– Removable hardware security module
• In GSM (2G): SIM card• In UMTS (3G): USIM (User Services Identity Module)
– Radio interface encryption– Limited trust in a visited network
• K (long-term key) never revealed to it
– Protection of the end user’s identity• Especially on the radio interface• Using TMSI instead of IMSI
32
UMTS Security Architecture (2a)
Weaknesses of GSM security that require corrections:– Only unilateral authentication
• Authenticates only MS (mobile station) to BS (base station) in visited net (none in reverse)
=> Allows for fake BSs• Then run MITM (man-in-the –middle) attacks from it
– Using “IMSI catchers” (devices for protocol testing)
• Facilitated by unability of subscriber to verify freshness of the received challenge
– Lack of integrity protection for communication/ signalling over radio
• Facilitates using fake BSs• Integrity not critical for voice communications (just some
voice distortion) but ...... Integrity critical for data communications (each bit matters!)
33
UMTS Security Architecture (2b)
Weaknesses of GSM security that require corrections – cont.
– Short length of encryption key– Weaknesses in implementations of the A3 and A8
algorithms• Allow compromising K (long-term key)
– This allows cloning SIM
– ...
34
UMTS Security Architecture (3)
Principles for new security architecture in UMTS– Fix the weaknesses of GSM– Without changing general GSM security principles=> Extending them
• ‘Reverse’ authentication (BS to MS)• Integrity protection
New security features in 3G– Address the weaknesses– Without changing general GSM security principles– Instead, extend GSM security principles
• ‘Reverse’ authentication (BS to MS)• Integrity protection
35
Details– GSM triplet (RAND, SRES, CK) replaced by a quintuple –
the UMTS authentication vector :(RAND, XRES, CK, IK, AUTN)
where:• RAND – as before• XRES – expected response to RAND• CK – as before• IK – integrity protection key• AUTN – token that:
(a) authenticates HN (home net) to MS(b) Proves freshness of RAND
Authentication in UMTS
36
Authentication in UMTS (2)
• Construction of authentication vector in UMTS standard• SQN = sequence # maintained synchronously by MS and HN• AK = anonymity key: to hide SQN value from eavesdroppers• AMF = auth. & key mngmt field: to pass parameters from HN to MS• MAC = message authentication code (nothing to do with MAC sublayer)• f1 – f5 = one-way (hashing) functionsNotes:
- - the XOR operation- SQN encoded with AK to protect privacy of MS (otherwise eavesdropper could associate different executions of authorization protocol with consecutive sequence #s to the same subscriber)
37
Authentication in UMTS-3GPP
Generation of cryptographic material
Generation of cryptographic material
Home NetworkVisited NetworkMSSQN RAND(i)
i-thAuthentication vector
K (user’ssecret key)
IMSI/TMSIUser authentication requestRAND(i) || AUTN(i)
1) Verify AUTN(i): (cf. next slide)
- Generate AK - Decode SQN - Verify MAC - Verify SQN(i)2) Compute RES(i) (next)
1) Verify AUTN(i): (cf. next slide)
- Generate AK - Decode SQN - Verify MAC - Verify SQN(i)2) Compute RES(i) (next)
User authentication response RES(i)
Compare RES(i)and XRES(i)
Compare RES(i)and XRES(i)
Select CK(i)and IK(i)
Select CK(i)and IK(i)
3) Compute CK(i) (next)4) Compute IK(i) (next)
3) Compute CK(i) (next)4) Compute IK(i) (next)
K
<RAND(i), XRES(i),
CK(i), IK(i), AUTN(i)>
From now on CK(i) & IK(i) used to protect integrity & confidentiality of msgs
Recall:• AK = anonymity key: to hide SQN value from eavesdroppers• SQN = sequence # maintained synchronously by MS and HN• MAC = message authentication code
K
38
User Authentication Function in the USIM
USIM: User Services Identity Module
f1f1 f2f2 f3f3 f4f4
K
XMAC (i)(Expected MAC)
RES(i)(Result)
CK(i)(Cipher
Key)
IK(i)(Integrity
Key)
f5f5
RAND(i)
AK(i)
SQN(i)
SQN AK
AMF MAC
AUTN(i)
• Verify MAC = XMAC (if yes, SQN originated in MS’s home network)• Verify that SQN(i) > most recent SQN stored by MS
• Verify MAC = XMAC (if yes, SQN originated in MS’s home network)• Verify that SQN(i) > most recent SQN stored by MS
39
Conclusion on UMTS security
Some improvement w.r.t. 2G– Cryptographic algorithms are published– Integrity of the signalling messages is protected
Quite conservative solution Privacy/anonymity of the user not completely protected Complicates 2G-3G interoperability
– Might open security breaches
Securing wireless networksb. WiFi Security: WEP, WPA, & WPA2
- intro to WiFi- WEP
- intro to WEP- WEP flaws- WEP – Lessons learnt
- 802.11i- Summary of WiFi security
41
beacon- MAC header- timestamp- beacon interval- capability info- SSID (network name)- supported data rates- radio parameters- power slave flags
b.1. Introduction to WiFi (1)
scanning on each channel
association requestassociation response
STA
AP
“connected”
STA = mobile STAtionAP = Access Point
42
Introduction to WiFi (2)
AP
Internet
43
b.2. WEPb.2.1. Intro to WEP
WEP = Wired Equivalent Privacy WEP is a part of the IEEE 802.11 specification goal
– make WiFi net at least as secure as a wired LAN • that has no particular protection mechanisms
– WEP was never intended to achieve strong security
services– access control to the network– message confidentiality– message integrity
44
WEP – Access control before association, STA needs to authenticate itself to
AP
authentication is based on a simple challenge-response protocol:
STA AP: authenticate requestAP STA: authenticate challenge (r)
r is 128 bits long
STA AP: authenticate response (eK(r))
AP STA: authenticate success/failure
if authentication fails, no association is possible if authentication succeeds:
– STA sends an association request– AP respondS with an association response
45
WEP – Message confidentiality and integrity WEP encryption - based on RC4 (a stream cipher developed in 1987
by Ron Rivest for RSA Data Security, Inc.)
– Operation:• Sending message:
– RC4 generator is initialized with:» a shared secret (shared between STA & AP)
» an initialization vector (IV) – 24 bits– RC4 produces a key stream (a pseudo-random byte sequence)
– Key stream is XORed with the message• Msg reception is analogous
– Essential: different key stream for each message– shared secret - the same for each message– IV - changes for every message
WEP integrity protection - based on an encrypted CRC value– Operation:
• Integrity check value (ICV) is computed and appended to the message
• the message and the ICV are encrypted together
46
WEP – Message confidentiality and integrity (2)
IV secret key RC4RC4
message || ICV
message || ICVIV
IV secret key RC4RC4
message || ICV
encode
decode
K
K
K = key stream
Shaded means secret
ICV = CRC value for “message”
Fig. 1.3. Encryption and decryption in WEP
47
WEP – Kinds of Keys WEP standard - two kinds of keys are allowed
– Default key• Also called: shared key, group key, multicast key,
broadcast key, key– Key-mapping keys
• Also called: individual key, per-station key, unique key
In practice, often only default keys are supported– Default key - manually installed in every STA & AP– Each STA uses the same shared secret key (see the “Default key”
fig.)
=> in principle, STAs can decrypt each other’s messages
id:X | key:abc
id:Y | key:abc
id:Z | key:abc key:abc
id:X | key:def
id:Y | key:ghi
id:Z | key:jklid:X | key:defid:Y | key:ghiid:Z | key:jkl
Default key Key-mapping key
48
WEP – Management of default keys The default key is a group key
– Group keys need to be changed when a member leaves the group
• E.g., when someone leaves the company and shouldn’t have access to its network anymore
Practically impossible to change the default key in every device simultaneously
=> WEP supports multiple default keys for smooth change of keys– One of the keys is the active key
• Used currently to encrypt messages– Any default key can be used to decrypt messages
• The message header contains a key ID– Allows the receiver to find out a key to decrypt the message
(allows the receiver to know default keys – knowing one is enough)
49
WEP – The key change process
Ž
---def*
abcdef*
---def*
---def*
tim
e
abc*---
abc*---
Œ
abc*---
abc*def
abcdef*
a, b, c – default keys* indicates the active key
Note:* New STA can read msg encoded with c (since it includes it as a deafult key)
* AP can read msg encoded with f (since it includes it as a default key)
STA1 STA2AP
50
b.2.2. WEP flaws WEP Flaws in Authentication & Access
Control Flaw 1: Authentication is not mutual (one-way only)
– AP is not authenticated by STA (mobile STAtion)• STA is at risk to associate with a rogue AP
Flaw 2: The same shared secret key used for authentication & encryption
• I authenticate X if X uses one of “my” group keys for encrypting her messages
• I don’t authenticate Y if his msg can’t be decrypted using one of my group keys
– Bad! Weaknesses in any of the two protocols can be used to break the key for the other protocol
Flaw 3: STA authenticated only at connection time=> Access control is not continuous– Once STA has authenticated with (& associated to) AP, an
attacker can send messages using the MAC (medium access control) address of STA
• Correctly encrypted messages cannot be produced by the attacker (does not know a group key)…
• … But attacker can replay STA msgs (e.g., STA1 msg replayed as STA 5 msg)
=> STA can be impersonated (next slide)
51
WEP flaws in Authentication and Access Control (2a)
Flaw 4: Using RC4 for encrypting random challenge– Recall: Authentication based on a challenge-
response protocol:…
AP STA: C C = challenge
STA receives C, calculates response:
STA AP: IV || ( C K )…
IV secret key RC4RC4
C
C KIV
STA encodes
K
K = a 128-bit key stream (RC4 output)
52
WEP flaws in Authentication and Access Control (2b)
– An attacker can:• Capture challenge C - when sent from AP to STA• Capture challenge encrypted in response R = (C K) - when
sent from STA to AP• Compute key stream: K = C (C K)
– Later, attacker can use key stream K to impersonate a legitimate STA:
…
AP attacker: C’ C’ – any challenge!
attacker AP: IV || ( C’ K ) - correct attacker’s response to
any … challenge
Note: IV does not help to prevent the attack- Since selected by the sender – i.e., the attacker
53
WEP Flaws in Replay Protection & Integrity Replay protection: none at all
– IV not mandated to be incremented after each msg
Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption– ICV appended to clear message M (see Fig. 1.3) is the
CRC value for M (CRC = cyclic redundancy code)
– CRC is a linear function w.r.t. XOR: CRC(X Y) = CRC(X) CRC(Y)
- WEP-encrypted message M (cf. Fig. 1.3):(M || CRC(M)) K
54
WEP Flaws in Replay Protection & Integrity (2)
Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption – cont.
- Attacker observes encrypted message M: (M || CRC(M)) K
M = changes that attacker wants to make in M- Unforunately , the attacker can compute CRC(M) for
any M- Hence, the attacker can also compute encrypted
message (M M) as follows:Captured encrypted message M encrypted M =( (M || CRC(M)) K) (M || CRC(M) ) = ((M M) || (CRC(M) CRC(M))) K = ((M M) || CRC(M M)) K - encrypted message (M M)
Att. uses captured encrypted msg, then adds the last component (that includes no K! -- so needs NOT know K!)
By rules of math, the effect is AS IF the att. knew K (even so does NOT know K)
55
WEP Flaws in Confidentiality
Flaw 1: IV reuse– IV space is too small - only 24 bits
=> there are about 17 million (16,777,216) possible IVs - IV reused after about 17 million msgs
– WiFi device xmits approx. 500 full-length frames per sec. =>=> IV space is used up in a few hours
=> Repeating IVs means repeating key streams (pseudo-random sequences) used for encryption
56
WEP Flaws in Confidentiality (2)
Flaw 2: IV initialization & incrementing– Many implementations initialize IV with 0 on startup
& incremented by 1 for each next msg• If several devices are switched nearly simultaneously, all
use the same sequence of IVs• If they all use the same secret key (which is the common case for
a default key for a group of devices under a single AP), then same key streams (pseudo-random sequences) used for encryption
=> An attacker does not need to wait for msgs using repeated key streams (due to using up all IV values)
• Gets messages encrypted with the same key stream immediately
57
WEP flaws in Confidentiality (3)
Flaw 3 (total collapse of WEP): Weak RC4 keys– For weak keys (some seed values), the beginning of the
RC4 output is not really random• One can infer the bits of the seed from the first
few bytes of the RC4 output=> breaking the key is made easier
– Crypto experts suggest: always throw away the first 256 bytes of the RC4 output…
– … but WEP doesn’t do that
58
WEP flaws in Confidentiality (4)
Flaw 3 (total collapse of WEP): Weak RC4 keys – cont.
– Due to the use of ever-changing IV values, eventually a weak key will be used• Attacker will know that
– Because IVs are sent in the clear (see Fig. 1.3)
- WEP encryption can be broken:- by automatic key-cracking tools!- after eavesdropping on only k * 100,000 of
msgs!
– This is the most serious flaw• Since breaking WEP means finding out the
secret key! (see Fig. 1.3)
– Can read and fake messages at will
59
b.2.3. WEP – Lessons learnt
1. Engineering security protocols is difficult– One can combine otherwise strong building blocks
in a wrong way & obtain an insecure system at the end• Example 1:
– Stream ciphers (e.g., RC4) alone are OK– Challenge-response protocols for
authentication are OK– But they shouldn’t be combined (as in WEP)
• Example 2:– Encrypting a msg digest (such as CRC) to obtain
an ICV is a good principle– But it doesn’t work if the message digest
function is linear w.r.t. the encryption function (as is the case for CRC, which is linear w.r.t. the XOR function used for encryption in WEP)
60
WEP – Lessons learnt
1. Engineering security protocols is difficult – cont.
– Use help of a security expert — don’t do it alone (unless you are a security expert)
• Functional properties can be tested...• ...but security can’t be tested
- it is a non-functional property=> it is extremely difficult to tell if a system is secure or not
– Using an expert in the design phase pays out(fixing the system after deployment will be much more expensive)
• experts will not guarantee that your system is 100% secure...
• ...but at least they know many pitfalls• they know the details of crypto algorithms
2. Avoid the use of WEP (as much as possible)
61
b.3. Overview of 802.11i
After the collapse of WEP => IEEE started to develop a new security architecture => 802.11i & Robust Security Network (RSN)
Main novelties in 802.11i w.r.t. WEP– access control model is based on 802.1X– flexible authentication framework
• based on EAP – Extensible Authentication Protocol– authentication can be based on strong protocols
• e.g., TLS – Transport Layer Security– authentication process results in a shared session
key • prevents session hijacking
– different functions (encryption, integrity) use different keys derived from the session key using a one-way (hashing) function
– improved integrity protection– improved encryption
62
b.3. Overview of 802.11i (2)
802.11i defines RSN (Robust Security Network)
– integrity protection & encryption based on AES• not on RC4 anymore
– nice solution ...– ... but needs new hardware => can’t be adopted
quickly
In addition to RSN, 802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol)
– ugly solution ...... but no new hardware required
• runs on old hardware after a software upgrade
– confidentiality: encryption based on RC4• but WEP’s problems have been avoided
– integrity protection based on Michael (more on it later)
– authentication, access control, key management — same as in RSN
63
b.3. Overview of 802.11i (3)
Industrial names(industry, eager to fix WEP’s flaws, didn’t wait till 802.11i architecture was finalized by IEEE. It quickly produced its own specs, hence had to use different names.)
– For TKIP: WPA (WiFi Protected Access)– For RSN: WPA2
Chronology [Wikipedia]– WEP security specification is a part of the IEEE
802.11 standard ratified in Sept. 1999– RSN & TKIP are defined in IEEE 802.11i, draft
standard ratified in June 2004
64
b.3.1. Authentication and access control in 802.11i
Authentication and access control in 802.11i – Borrowed from the 802.1X standard
• 802.1x originally for wired LANs
802.1X authentication & access control model – next slide
65
802.1X authentication model
supplicantsupplicant servicesservices authenticatorauthenticator authenticationserver
authenticationserver
LAN
authenticator systemsupplicant sys auth server sys
port controls
the supplicant requests access to the services (wants to connect to the network)
the authenticator controls access to the services (controls the state of a port)
the authentication server authorizes access to the services– the supplicant authenticates itself to the authentication
server (via the authenticator)– if the authentication is successful:
• the authentication server instructs the authenticator to switch the port on
• the authentication server informs the supplicant that access is allowed
66
Mapping the 802.1X model to WiFi Mapping 802.1X to WiFi :
– supplicant = STA (mobile device)
– authenticator = AP (access point)
– authentication server = server application running on AP or on a dedicated machine
– port = logical state implemented in software in the AP
One more thing added to the basic 802.1X model in 802.11i:– successful authentication results not only in
switching the port on– also in defining a session key between STA
(supplicant) and the authentication server• the session key is sent to the AP (authenticator) in a
secure way– using a shared key between the AP and the
authentication server– this key is usually set up manually
67
Protocols – RADIUS, EAPOL, and EAP
RADIUS = Remote Access Dial-In User Service [RFC 2865-2869, RFC 2548]
– to carry EAP messages (next) between auth server & AP (next)
• MS-MPPE-Recv-Key attribute is used to transport the session key from auth server to AP
– RADIUS is mandatory for WPA & optional for RSN
EAPOL = EAP over LAN [802.1X]
– to carry EAP messages (next) between STA & AP– to encapsulate EAP messages into LAN protocols
• e.g., into Ethernet protocols
68
Summary of the protocol architecture
TLS (RFC 2246)TLS (RFC 2246)
EAP-TLS (RFC 2716)EAP-TLS (RFC 2716)
EAP (RFC 3748)EAP (RFC 3748)
EAPOL (802.1X)EAPOL (802.1X)
802.11802.11
EAP over RADIUS (RFC 3579)EAP over RADIUS (RFC 3579)
RADIUS (RFC 2865)RADIUS (RFC 2865)
TCP/IPTCP/IP
802.3 or else802.3 or else
STA AP auth server
IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]
69
Protocols – RADIUS, EAPOL, and EAP (2)
EAP = Extensible Authentication Protocol [RFC 3748]
– carrier protocol - to transport the messages of “real” authentication protocols (e.g., TLS)
– very simple, with four types of messages:• EAP request – carries messages from the
supplicant to the authentication server• EAP response – carries messages from the
authentication server to the supplicant• EAP success – signals successful authentication• EAP failure – signals authentication failure
– authenticator (AP) doesn’t understand what is inside the EAP messages• it recognizes only EAP success and EAP failure
70
Summary of the protocol architecture
TLS (RFC 2246)TLS (RFC 2246)
EAP-TLS (RFC 2716)EAP-TLS (RFC 2716)
EAP (RFC 3748)EAP (RFC 3748)
EAPOL (802.1X)EAPOL (802.1X)
802.11802.11
EAP over RADIUS (RFC 3579)EAP over RADIUS (RFC 3579)
RADIUS (RFC 2865)RADIUS (RFC 2865)
TCP/IPTCP/IP
802.3 or else802.3 or else
STA AP auth server
IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]
71
Protocols – RADIUS, EAPOL, and EAP(3)
EAP-TLS = TLS over EAP [RFC 2716]
– for server & client authentication, generation of master secret
– only the TLS Handshake Protocol is used– TLS master secret becomes the session key– mandatory for WPA & optional for RSN
72
Summary of the protocol architecture
TLS (RFC 2246)TLS (RFC 2246)
EAP-TLS (RFC 2716)EAP-TLS (RFC 2716)
EAP (RFC 3748)EAP (RFC 3748)
EAPOL (802.1X)EAPOL (802.1X)
802.11802.11
EAP over RADIUS (RFC 3579)EAP over RADIUS (RFC 3579)
RADIUS (RFC 2865)RADIUS (RFC 2865)
TCP/IPTCP/IP
802.3 or else802.3 or else
STA AP auth server
IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]
73
SKIP- Summary of the 802.11i protocol architecture
74
EAP in action
APSTA auth server
EAP Request (Identity)
EAP Response (Identity) EAP Response (Identity)
EAP Request 1EAP Request 1
EAP Response 1 EAP Response 1
EAP SuccessEAP Success
EAP Request nEAP Request n
EAP Response n EAP Response n
...
...
em
bedded a
uth
. pro
toco
l
EAPOL-Start
encapsulated in EAPOL
encapsulated in EAP over RADIUS
75
b.3.2. Key management
Pairwise master key (PMK) = the session key established between STA & AP as a result of the authentication procedure– “Pairwise” since known only to STA & AP
• Known also to auth server (AS) - not counted since AS is a trusted entity
– “Master” bec. not used directly – used to generate encryption & integrity keys
Four keys derived from PMK are called the pairwise transient key (PTK) (in singular!)
– Data-encryption key (DEK)– Data-integrity key (DIK)– Key-encryption key (KEK)– Key-integrity key (KIK)
76
b.3.2. Key management (2)
Special case: AES-CCMP – used in RSN (more on it later)
– Three keys only in its PTK (pairwise transient key)
• DEK = DIK• KEK• KIK
77
Four-way handshake protocol
Objective:– AP & STA exchange their random #s
• to be used in PTK generation
– Proves to AP/STA that the other party also knows PMK (result of authentic’n)
78
Four-way handshake protocol (2) The protocol: (its msgs are carried by EAPOL)
AP: generate Anonce (nonce is a random #)
1) AP STA: ANonce | KeyReplayCtr (Ctr = counter)
STA: generate SNonce and compute PTK2) STA AP: SNonce | KeyReplayCtr | MICKIK
(above msg includes info needed by AP for computing PTK) AP: compute PTK, generate GTK & verify
MIC (using KIK to verify MIC)
(a successful MIC verific proves to AP that STA has PMK)
3) AP STA: ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK
STA: verify MIC and install keys (a successful MIC verific proves to STA that AP has PMK;
also, this msg signals that AP is ready to install the keys => ready for encrypting subsequent packets)
4) STA AP: KeyReplayCtr+1 | MICKIK
(ACK to AP that STA got the msg (3) from AP AP: verify MIC and install keys
MICKIK = Message Integrity Code (computed by the mobile device using KIK)
KeyReplayCtr = a counter used to prevent replay attacks
79
Four-way handshake protocol (3)
From now on, data packets sent between STA and AP are protected by DEK & DIK
They don’t protect msgs broadcast by AP to “its” STAs– Bec. keys for broadcast msgs must be known to all
STAs to which AP wants to broadcast=> need group transient key (GTK) (next)
80
Group transient key (GTK)
Group transient key (GTK)
– GTK includes:• group-encryption key (GEK)• group-integrity key (GIK)
– GTK sent to each STA separately• encrypted with KEK of this single STA
81
Key hierarchies (summary)
PMK (pairwise master key)
PTK (pairwise transient keys):- key encryption key- key integrity key- data encryption key- data integrity key
(128 bits each)
GTK (group transient keys):- group encryption key- group integrity key
802.1X authentication
key derivationin STA and AP
random generationin AP
GMK (group master key)
key derivationin AP
pro
tectio
n
transportto every STA
unicast message transmittedbetween STA and AP
broadcast messages transmittedfrom AP to STAs
pro
tectio
n
pro
tectio
n
82
b.3.3. TKIP and AES-CCMP Recall:
1) 802.11i specs define security architectures: * Old sec architecture (flawed) - protocol: WEP WEP security specification is a part of the IEEE 802.11 standard (Sept.’99 )
* New sec architecture - protocols: Supersedes WEP, defined as IEEE 802.11i, draft standard ratified in
June’04,
+ RSN - uses AES cipher (instead of RC4 cipher)
- needs new h/w+ TKIP (optional protocol) - uses RC4 cipher
- uses old h/w
2) Industry specs define security architectures: + WPA (WiFi Protected Access) - based on TKIP + WPA2 - name used for RSN by many WiFi manufacturers
[Wikipedia]
[Wikipedia]
83
TKIP and AES-CCMP
Summary: AES used in RSN (=WPA2)
RC4 used in TKIP & WPA
84
TKIP
TKIP runs on old hardware (that supports RC4), but ...
...WEP weaknesses are corrected by TKIP– TKIP fix for integrity: Michael - new msg integrity
protection mechanism• MIC (Message Integrity Code) value is added at SDU
level (service data unit level) before fragmentation into PDUs
- that is, MIC value added to data received by MAC layer from higher layers before these data are fragmented
• implemented in the device driver (in software)
85
TKIP (2)
– TKIP fix for confidentiality: (recall: IV used as a replay counter)
• to fix IV reuse problem: increase IV length to 48 bits (from 24 bits)
• to fix weak keys problem: use per-packet keys (prevents attacker from observing a sufficient # of msgs encrypted with the same, potentially weak, key)
next sl.: new IV mechanism & generation of msg keys
86
TKIP – Generating RC4 keys
IV DEK (data encryption key) from PTK
key mix(phase 1)
key mix(phase 1)
key mix(phase 2)
key mix(phase 2)
lower16 bits
upper32 bits
128 bits
48 bits
MAC address
per-packet keyIV
3x8 = 24 bits 104 bit
IVd
dum
my b
yte
RC4 seed value(128 bits)
Recall:- IV size in TKIP is increa-sed from 24 to 48 bits.
- This creates difficulty:the old WEP hardware still expects a 128-bit RC4 seed value. => 48-bit IV & 104-bit key must be compressed into 128 bits.
The figure shows how this is done, that is shows generating RC4 seed values keys
87
AES-CCMP (used in RSN)
AES = AES cipher algorithm CCMP = CTR mode + CBC-MAC
– encryption based on CTR mode (using AES – next slide)– integrity protection based on CBC-MAC (using AES -
below)
SKIP- Calculation of CBC-MAC– CBC-MAC is computed over the MAC header, CCMP
header, and the MPDU (fragmented data)– mutable fields are set to zero– input is padded with zeros if length is not multiple
of 128 (bits)– CBC-MAC initial block:
• flag (8)• priority (8)• source address (48)• packet number (48)• data length (16)
– final 128-bit block of CBC encryption is truncated to (upper) 64 bits to get the CBC-MAC value
88
AES-CCMP
SKIP- CTR mode encryption– MPDU and CBC-MAC value is encrypted, MAC
and CCMP headers are not– format of the counter is similar to the CBC-MAC
initial block• “data length” replaced by “counter”• counter initialized with 1
and incremented after each encrypted block
89
SKIP- b.3.3. Bluetooth
P. 27 - 31
90
b.4. Summary of WiFi security Security always considered important for WiFi Early solution based on WEP
– seriously flawed– not recommended to use
802.11i - the new security standard for WiFi– access control model based on 802.1X– flexible authentication based on:
• EAP• upper layer authentication protocols (e.g., TLS, GSM
authentication)
– improved key management– TKIP
• uses RC4 => runs on old hardware…• … but corrects WEP’s flaws• mandatory in WPA, optional in RSN (=WPA2)
– AES-CCMP• uses AES in CCMP mode (CTR mode and CBC-
MAC)• needs new hardware that supports AES
91
Recommended books
V. Niemi and K. Nyberg. UMTS Security. Wiley, 2003 J. Edney, W. Arbaugh. Real 802.11 Security: WiFi
Protected Access and 802.11i. Addison-Wesley, 2004.
Caution: books describing standards age very quickly (especially in this field) !
92
THE END
93
94
95
SKIP- Generation of the authentication vectors
(by the Home Environment)Generate SQNGenerate SQN
Generate RANDGenerate RAND
f1f1 f2f2 f3f3 f4f4 f5f5
K
AMF
MAC (Message Authentication
Code)
XRES(Expected
Result)
CK(Cipher
Key)
IK(Integrity
Key)
AK(Anonymity
Key)
Authentication token: : ( )
Authentication vector: :
AUTN SQN AK AMF MAC
AV RAND XRES CK IK AUTN
〓 〓〓 〓 〓 〓
Authentication token: : ( )
Authentication vector: :
AUTN SQN AK AMF MAC
AV RAND XRES CK IK AUTN
〓 〓〓 〓 〓 〓
AMF: Authentication and Key Management Field
96
SKIP- More about the authentication andkey generation function
In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN).
f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set,
called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1…f5* is
based on the Rijndael algorithm
97
rotateby r4
OPc
c4
EK
OPc
rotateby r2
OPc
c2
EK
OPc
rotateby r3
OPc
c3
EK
OPc
rotateby r5
OPc
c5
EK
OPc
rotateby r1
OPc
c1
EK
OPc
EK
SQN||AMF OPc
EKOP OPc
f1 f1* f5 f2 f3 f4 f5*
RAND
SKIP- Authentication and key generation functions f1…f5*
OP: operator-specific parameterr1,…, r5: fixed rotation constantsc1,…, c5: fixed addition constants
OP: operator-specific parameterr1,…, r5: fixed rotation constantsc1,…, c5: fixed addition constants
EK : Rijndael block cipher with 128 bits text input and 128 bits key
EK : Rijndael block cipher with 128 bits text input and 128 bits key
98
COUNT || FRESH || MESSAGE ||DIRECTION||1|| 0…0
KASUMIIK KASUMIIK KASUMIIK KASUMIIK
KASUMIIK KM
PS0 PS1 PS2 PSBLOCKS-1
MAC-I (left 32-bits)
SKIP- f9 integrity function
• KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits)• PS: Padded String• KM: Key Modifier
• KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits)• PS: Padded String• KM: Key Modifier
99
SKIP- Ciphering method
f8f8
KEYSTREAM BLOCK
CK
BEARER
COUNT-C
LENGTH
DIRECTION
PLAINTEXTBLOCK
f8f8
KEYSTREAM BLOCK
CK
BEARER
COUNT-C
LENGTH
DIRECTION
PLAINTEXTBLOCK
CIPHERTEXTBLOCK
Sender(Mobile Station or
Radio Network Controller)
Receiver(Radio Network Controller
or Mobile Station)
BEARER: radio bearer identifierCOUNT-C: ciphering sequence counter
BEARER: radio bearer identifierCOUNT-C: ciphering sequence counter
100
KASUMI KASUMI KASUMI KASUMIKASUMICK KASUMICK KASUMICK KASUMICK
KASUMICK KM
KS[0]…KS[63]
Register
KS[64]…KS[127] KS[128]…KS[191]
BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1
COUNT || BEARER || DIRECTION || 0…0
SKIP- f8 keystream generator
KM: Key ModifierKS: Keystream
KM: Key ModifierKS: Keystream
101
FL1 FO1
FO2 FL2
FO8 FL8
FO6 FL6
FO4 FL4
FL7 FO7
FL3 FO3
FL5 FO5
KL1
KO2 , KI2
KO3 , KI3
KO5 , KI5
KO6 , KI6
KO4, KI4
KO7 , KI7
KO8 , KI8
KO1 , KI1
KL2
KL3
KL4
KL5
KL6
KL7
KL8
L0
32R0
32
C
Fig. 1 : KASUMI
R8L8
FIi1
FIi2
FIi3
S9
S9
S7
S7
<<<
<<<
Fig. 2 : FO Function Fig. 3 : FI Function
Zero-extend
truncate
Zero-extend
truncate
Bitwise AND operation
Bitwise OR operation
One bit left rotation<<<
Fig. 4 : FL Function
KOi,3
KOi,2
KOi,1
KIi,1
KIi,2
KIi,3
KIi,j,1
KIi,j,2
64 32 1616 16 9 7
3216 16
KLi,1
KLi,2
SKIP- Detail of Kasumi
KLi, KOi , KIi : subkeys used at ith roundS7, S9: S-boxes
KLi, KOi , KIi : subkeys used at ith roundS7, S9: S-boxes
102
SKIP- Signaling integrity protection method
f9f9
MAC-I
IK
SIGNALLING MESSAGE
COUNT-I
FRESH
DIRECTION
Sender(MS or
Radio Network Controller)
f9f9
XMAC-I
IK
SIGNALLING MESSAGE
COUNT-I
FRESH
DIRECTION
Receiver(Radio Network Controller
or MS)
FRESH = random inputFRESH = random input
103
SKIP- Protocols – LEAP, EAP-TLS, PEAP, EAP-SIM
LEAP (Light EAP)– developed by Cisco– similar to MS-CHAP extended with session key transport
EAP-TLS (TLS over EAP)– only the TLS Handshake Protocol is used– server and client authentication, generation of master secret– TLS maser secret becomes the session key– mandated by WPA, optional in RSN
PEAP (Protected EAP)– phase 1: TLS Handshake without client authentication– phase 2: client authentication protected by the secure channel
established in phase 1
EAP-SIM– extended GSM authentication in WiFi context– protocol (simplified) :
STA AP: EAP res ID ( IMSI / pseudonym )STA AP: EAP res ( nonce )AP: [gets two auth triplets from the mobile operator’s AuC]AP STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc )STA AP: EAP res ( 2*SRES )AP STA: EAP success