Data Integrity and Network Security in Wireless LAN/3G ...
Transcript of Data Integrity and Network Security in Wireless LAN/3G ...
Data Integrity and Network Data Integrity and Network Security in Wireless LAN/3G Security in Wireless LAN/3G Integrated Networks Integrated Networks
Abbas Jamalipour
The University of SydneyAustralia
International Workshop on Internet Security and Management 2004
a.a.jamalipourjamalipour@@ieeeieee.org.org
Sendai, Japan, Jan. 29, 2004
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour2
ContentsContents
1.1. Mobile Internet and the Wireless LANMobile Internet and the Wireless LAN2.2. Integrated Network ArchitectureIntegrated Network Architecture3.3. Security ArrangementsSecurity Arrangements4.4. Concluding RemarksConcluding Remarks
Mobile Internet and the Mobile Internet and the Wireless LANWireless LAN
11
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour4
Wireless local area networksWireless local area networks
! Wireless LAN is becoming increasingly popular! Mobile users’ typical demands of information access is
characterized by heavy data files and applications; W-LAN can provide mobility and speed at the same time
! In major structured hot spots such as airports and rail stations, the mobile radio infrastructure support of data communications seems to be inadequate and expensive
! For office users, mobility, simple and low-cost network scalability, and high-speed access are advantageous factors
! For home users, advantages of mobility without new wiring and at the same time high-speed access are the key issues
" W-LAN provides network flexibility: No infrastructure (ad hoc), single-cell network (BSS), or cellular topology (ESS)
" Use of unlicensed spectrum reduces the user’s cost
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour5
Mobile Internet using WMobile Internet using W--LANLAN
! Simple structure and cost-efficient equipment involved in W-LAN can easily extend the fixed Internet into the mobile environment! Mobility is supported but in a limited scale; more than that is
neither logically feasible nor economically efficient! Data integrity, user and network security, and billing
methods are not sufficiently supported by current standards! Can be done (as it is undergoing) but this will add the
complexity and cost of the network, resulting in lighter image of original advantages of W-LAN
! Traffic is loosely controlled through multiple access scheme; more traffic requires better traffic management and licensed spectrum, adding the cost and network complexity
! Co-located W-LANs could interferer each other easily
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour6
Mobile Internet using cellular networksMobile Internet using cellular networks
! 2.5G/3G cellular systems will provide some infrastructure for the mobile Internet service, but not necessarily sufficient ! Cellular deployment timetable was not fast enough! Cellular data rate growth does not follow the rapid increase
in new applications’ bandwidth demand! Cellular tariffs are not easily reducible! Cellular radio access will remain “the” limiting factor in
competing speed with wired network! Compatibility and roaming issues between IP networks and
cellular systems are not necessarily resolved within cellular-only implementations ! Need for hybrid networks
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour7
Hybrid networksHybrid networks
! To support new and existing mobile Internet applications! Horizontal communication among existing access technology
! cellular, cordless, W-LAN, short-range connectivity, wired
! On a common platform to complement services of each other! Connected through a common, flexible, seamless IP-based
core network (questionable but promising)! An advanced media access technology that connects the core
network to different access technologies! Global roaming and inter-working between different access
technologies both horizontal (intra-system) and vertical (inter-system) handover
! Seamless, transparent service negotiation including mobility, security, quality (data rate, delay, dropping probability, etc)
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour8
Vision of a hybrid networkVision of a hybrid network
Inter-Network Access Technology
IP Core Network
Satellite Backbone
Private IP Network
Global Internet
Wireless LAN
GSM
cdmaOne
DECT
GPRS/UMTS Core
cdma2000 Core
cdma2000 Access Network
UMTS Access Network
PSTN/ISDN
ADSL
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour9
ShortShort-- and longand long--term solutionsterm solutions
! Long-term solutions! Merging IP and cellular networks at core and access sides! Reducing dissimilarities in management of the two systems! Improving radio access technology! Global interconnection of cellular and IP networks
! Short-term solutions! Use of available infrastructures and try to accommodate
simple systems within individual cellular networks! Push of IP-oriented applications into cellular services! Gradual decrease in traffic load from non-IP services! Blend all traffic data into one mixed-type! All, in order to be prepared for longer-term solutions
Integrated Network Integrated Network ArchitectureArchitecture
22
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour11
Wireless LANWireless LAN
! W-LAN: The most accessible network to start with the short-term solutions! Much higher speed than 3G systems: 11-54 Mbps and above
compared with 300 Kbps – 2 Mbps! Close relation with the legacy wired IP networks (basically
an extension)! Use of unlicensed spectrum and low-cost equipments that
may enable low end-user tariffs too! Already deployed in major hot-spots and is rapidly
expanding; easily deployable anywhere! Potential integrating elements in its architecture with cellular
3G systems! Advantage of huge research work undergoing toward its
standardization and regulation, access control, and security
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour12
WW--LAN and 3GPPLAN and 3GPP
! 3GPP has already started the initiative for cellular-Wireless LAN internetworking architecture.! To be included in the 3GPP Release 6 specifications
! Issues that need to be considered:! Integrating a highly-standardized system such as UMTS with
a loosely standardized network; i.e. the W-LAN! Standardize the W-LAN network architecture or its radio
interface? Maybe not; keep it undefined
! Integrating a multi-service network such as UMTS with mainly IP-service network of W-LAN
! Whether the W-LAN should be administrated by the UMTS operator or treated just as a foreign network
! User data routing and access to available services ! UMTS CN versus IP backbone
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour13
WW--LAN architectureLAN architecture
Access Point 1
Access Point 2
Mobile Nodes Mobile
Nodes
LAN bus
Access Router
IP backbone network
AAA server/proxy
Billing
HTTP server
Gateway NAPT
Users database
DHCP
DNS
Layer 2 distribution network
External IP networks interfaces
IP interface
AAA interface
W-LAN Extended Service Set (ESS)
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour14
WW--LAN general architectureLAN general architecture
! DHCP to facilitate the W-LAN terminal IP address! DNS to resolve Internet fully equipped domain name
(FQDN) addresses into IP addresses! Gateway NAPT (network address and port
translation) to external networks (Internet)! Using W-LAN private-space IP address and enabling services
offered by external networks at the same time
! HTTP server for local application-level services! Billing system for accounting! Access point: A layer 2 bridge between 802.11 and
the Ethernet! Security: using WEP, IEEE 802.11x/802.11i, RADIUS
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour15
User subscriptionUser subscription
! 3GPP! A heavily worked area for all subscriber’s charging and
billing systems using SIM/USIM smart cards! User database kept at home subscriber servers (HSS) for IP
and other packet services over the packet-switched CN! Establishment of global roaming among 3G operators! Overall, not to compromise such a high-level of security just
for a new interworking domain
! Concluded that! The W-LAN needs to reuse the 3GPP subscription system! Equipping a W-LAN terminal with SIM/USIM! Making the AAA signaling a roaming case, where all
subscription services will be provided by the 3GPP HSS
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour16
Authentication and authorizationAuthentication and authorization
! 3GPP! Use of (U)SIM card for subscriber authentication for network
access and for secret key agreement used for encryption and integrity protection
! Use of a challenge and response algorithm for key management and authentication in GSM/GPRS; and an advanced version in UMTS
! Wireless LAN integrated network! Utilizing the new IEEE 802.11i for authentication, access
control and key agreement functions, especially the extensible authentication protocol (EAP) based on RADIUS
! Use of EAP-SIM: mainly using SIM’s key agreement algorithm! Use of EAP-AKA: encapsulation UMTS authentication and key
agreement (AKA) within EAP
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour17
Integration optionsIntegration options
! Use of W-LAN as a Peer Network! Really an “inclusion” not “integration”! Connecting W-LAN and cellular systems independently to the
IP core network
! Tight Coupling! Accommodating W-LAN “tightly” inside cellular core network! Achieving virtual high-speed at the end-user level
! Loose Coupling! Take advantage of both IP core network and cellular core
network without getting virtual (imaginary) high-speed! Better option to get the two network really “integrated” ! Obviously with adding more overall complexity
V.K. Varma, S. Ramesh, K.D. Wong and J.A. Friedhoffer, “Mobility management in integrated UMTS/WLAN networks,” 2003 IEEE International Conference on Communications (ICC ’03), vol. 2, pp. 1048-1053, 11-15 May 2003.
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour18
Integration optionsIntegration options
MS
Tight Coupling
AP AP
AP GW SGSN’
802.11b
MS
RNC Node B
Node B Iu-ps
MS
Peer Network
AP AP
AP
AAA /HLR
AGW /HA
MS
802.11b
HSS AAA
GGSN/HA
BG
SGSN
UMTS CN
Core IP Network
CN
AP AP
AP GW GSN’
802.11b
MS
Loose Coupling
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour19
Peer NetworkPeer Network
MS
MS
RNC Node B
Node B Iu-ps
MS
HSS AAA
GGSN/HA
BG
SGSN
UMTS CN
Core IP Network
CN AP AP
AP GW
802.11b MS
AP AP
AP GW AGW/
HA
802.11b AAA/ HLR’
��������������
��������������
��������������
��������������
��������������
�����������������
�����������������
�������������
�������������
�������������
! Operation by a same or different UMTS W-LAN operators! Use of Mobile IP for mobility management among peer networks! Inclusion of a HA functionality and a AAA server inside UMTS CN
for supporting mobility among UMTS and non-UMTS networks! Multiple ESSs are connected via an access gateway to IP CN
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour20
Peer NetworkPeer Network
! Authentication to UMTS and other peer networks! To UMTS: through a HLR emulator (HLR’) in W-LAN
! W-LAN: appearing as a foreign UMTS network
! To other peer networks: through an AAA server and HA
! Roaming from UMTS to W-LAN, MS! Associates with an access point! Performs AAA functions with the local AAA server which
interacts with the AAA server in UMTS home! Obtains a CoA and sends a binding update! Interaction of HA with HSS in UMTS CN to update location
! Similar procedure for roaming from W-LAN to UMTS
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour21
Tight couplingTight coupling
! W-LAN emulates either a RNC or a SGSN (shown as SGSN’)! W-LAN is deployed either by UMTS or an independent operator! Mobility between two networks means an inter-SGSN RA update! With the same GGSN, IP address will be assigned from the same pool:
mobility results in no change in IP address! All signaling and data traffic and the user location are maintained by
the home subscriber server (HSS)
MS
MS
RNC Node B
Node B Iu-ps
MS
HSS AAA
GGSN/HA
BG
SGSN
UMTS CN
Core IP Network
CN AP AP
AP GW SGSN’
802.11b
����������������
����������������
����������������
�����������������
�����������������
�����������������������
�����������������������
�����������������������
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour22
Tight couplingTight coupling
! This coupling allows independent W-LAN operators! SGSN emulator meets the UMTS CN at Gp interface
! Simple architecture and procedure! Use of UMTS mobility management! To roam into a W-LAN high-speed network, an MS
! Associates with an access point! Enters into an inter-SGSN routing area update with SGSN’! Connects to the UMTS CN via SGSN’
! Moving within W-LAN ESS follows the W-LAN MM procedure
! Signal strength, bandwidth measurement, etc may be used to select between the two networks when both are available
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour23
Loose couplingLoose coupling
! A master/slave architecture: UMTS: Master, W-LAN: Slave! Connection of several W-LAN ESSs via individual GWs to a
combined SGSN/GGSN emulator (GSN’)! Possible deployment of W-LAN by UMTS or independent
operator: W-LAN is a visiting network to the UMTS CN
MS
MS
RNC Node B
Node B Iu-ps
MS
HSS AAA
GGSN/HA
BG
SGSN
UMTS CN
Core IP Network
CN AP AP
AP GW
802.11b
MS
AP AP
AP GW GSN’
802.11b
�����������������
�����������������
�����������������
������������������
������������������
������������������
��������������������
���������������������������������������
�������������������
signaling
data
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour24
Loose couplingLoose coupling
! Different routing areas for UMTS and W-LAN! Different sets of IP address domains! Simplifying GGSN in forwarding packets from GSN’
! Different handling of signaling and data traffics! Signaling goes to UMTS CN; directly (same operator) or
indirectly (different operators)! Data traffic goes to IP core directly
! Mobility management is more complex than in tight coupling as a user has a different IP address when roaming from one network to another
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour25
Loose couplingLoose coupling
! While in UMTS! Performing Attach and PDP context activation! Following GPRS mobility management for moving around
! Roaming to W-LAN! Associating with an access point! Acquiring an IP address from the W-LAN domain! Attaching to GSN’ similar to UMTS attach! Authentication with UMTS by GSN’ (via old SGSN)! Updating MS location and canceling it in HSS! Exchanging packets directly through IP core network! DNS or SIP could be used to identify the MS within the IP
network; ongoing research
! Similar procedure when roaming to UMTS
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour26
Other issues in WOther issues in W--LAN/3G LAN/3G interworkinginterworking
! Mobility management! Roaming between W-LAN and cellular networks
! Criteria for roaming! data rate, signal strength, traffic load, application, user
preference, network preference, handheld device type, …
! Timing for roaming! Frequency for roaming! QoS guarantee issues after roaming! Device auto-detection and auto-configuration
! Network administration! One administrator or more for
! AAA! Billing! Customer care
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour27
InterworkingInterworking scenariosscenarios
! Only common billing and customer care! With no internetworking still this may be possible
! To have same AAA functions as defined by 3GPP! This requires AAA procedures to be adopted in W-LAN
too! To have UMTS-specific services in W-LAN
! More internetworking is needed so that either a gateway to those service is emulated or they are accessed directly
! Service continuity is maintained! We can restrict the type of services to be maintained
continuously based on QoS availability (e.g. voice delay)! Seamless service across two networks! Access even to the UMTS circuit-switched services from the
W-LAN
Security ArrangementsSecurity Arrangements
33
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour29
Security requirementsSecurity requirements
! Requirements! The integrated system should not compromise 3G security
! Use of UMTS authentication and key agreement (AKA)! AKA challenge-response procedure is network independent and
may be run over other transport mechanisms! E.g., EAP-over-LAN supported by IEEE 802.11
! The home network in the integrated system should be always the 3GPP home
! The serving network should support EAP-AKA! AAA node to handle transport of EAP
! UMTS AKA relies on the terminal’s smartcard! USIM application runs the UMTS AKA cryptographic algorithm
! W-LAN terminal should be able to access USIM! Not necessarily have a smartcard reader; can be accessed via host
system
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour30
Security elementsSecurity elements
! Authentication! No problem as the integrated network still uses UMTS AKA
procedure
! Confidentiality! Use of symmetric key encryption to protect disclosure of
user and system data by passive attacks
! Integrity! Use of (symmetric) keyed cryptographic checksum function
to protect data modifications by active attacks! Functions are called message authentication codes (MAC); per
message authentication
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour31
Security on the airSecurity on the air
! Assumptions: Access network supports confidentiality and integrity services over the air! Problem for W-LAN due to its weak WEP method
! Use of new IEEE 802.11i specification! Use of interim solutions such as Wi-Fi protected access (WPA)
! Based on Temporal Key Integrity Protocol (TKIP) of 802.11i
! W-LAN access points must be also protected against dedicated attacks that aim to get access to session keys
! Possible solution is to extend the W-LAN integrity and confidentiality services to the access server (similar to UMTS where data connections are protected between UE and RNC
! To solve the problem of confidentiality and integrity services over the air, we must go beyond the usual “link-layer” security mechanisms (e.g., create an IPSec tunnel between UE and the network)
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour32
Security standardsSecurity standards
! Security architecture of the integrated system is directly modeled in the UMTS security architecture! UMTS access security: based on one-pass mutual entity
authentication scheme between USIM and serving network! AKA procedure provides authentication and generation of
128-bit session keys for confidentiality and integrity protection
! AKA procedure implementation! Cryptographic functions are implemented in USIM and HSS;
depend only on HE operator
! AKA successful outcome! The USIM and network will be mutually authenticated ! They will get common key materials
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour33
UMTS AKA procedureUMTS AKA procedure
! AKA procedure consists of two phases! Phase 1: Transfer of authentication vectors (AV) from home
environment (HE) to the serving network (SN)! Not available in the interworking version of AKA; AKA is globally
executed from the HE toward the USIM! Phase 2: Execution of AKA procedure by the SN
USIM MS Node B RNC SGSN/VLR HLR/AuC
User Serving Network (SN) Home Environment (HE)
Access Point (AP) Radio Network Controller
Serving Network (SN)
Home Subscriber Server (HSS)
AV transport over MAP
One-Pass Challenge/Response
Iu Interface
User Equipment (UE)
G. M. Koien and T. Haslestad, “Security aspects of 3G-WLAN interworking,” IEEE Communications Mag., pp. 82-88, Nov. 2003
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour34
Challenge/Response mechanismChallenge/Response mechanism
! If the AKA fails, either during challenge from network or response from USIM, a resynchronization procedure will be required
USIM Network
• Authenticate the network; if not ok proceed with failure
• Check sequence number in AUTN; if not ok resynchronize
• Compute response: RES• Generate key material
Valid AV presentsChallenge (RAND, AUTN)
Response (RES)
Failure (resync or MAC failure)
Reject (cause)
• Verify (authenticate) USIM; if not ok proceed with reject
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour35
Security architecture (loose coupling)Security architecture (loose coupling)
! Rather simple architecture using AAA and EAP ! To execute UMTS AKA from 3G home domain toward W-LAN
UE! AAA architecture, RADIUS and/or Diameter protocols are
used to bridge 3GPP and W-LAN access networks! EAP-AKA allows execution of UMTS AKA over W-LAN
UE APNetwork access server
3GPP AAA
proxy
3GPP AAA
Home subscriber
server
Internet
W-LAN access network
Home NetworkVisited Network
Wr Wr Wx
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour36
Extensible authentication protocol (EAP)Extensible authentication protocol (EAP)
! A key element in security architecture of the integrated system! Provides a generic peer-to-peer based request-response
transaction for authentication dialogs! Supports multiple authentication mechanisms! Does not provide authentication itself but supports existing
authentication methods through specialized EAP methods! Using a negotiation sequence where the authenticator asks information
on which authentication method to use! The main authentication method supported is EAP-AKA, but always a
backend authentication server can help authenticator for unsupported authentication methods
! Runs directly over link layer (no need for IP)! Has its own flow control mechanisms! Can remove duplicate messages! Can retransmits lost messages! Runs over different link layer protocols including the IEEE 802.11
W-LAN link layer
Concluding RemarksConcluding Remarks
44
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour38
Concluding remarksConcluding remarks
! A hybrid W-LAN/cellular network takes the advantages of wide area coverage of the cellular systems and high-bandwidth and low-cost equipment of the W-LAN! The three integrated architectures look good, but is there any
other option?! The three architectures use one of available mobility
management techniques: GPRS/UMTS, W-LAN, MIP, SIP; are there any better option for MM in hybrid networks?
! While authentication and authorization are handled through different combination of available methods (AAA, W-LAN, GPRS/UMTS, HLR, etc), are those techniques sufficient?
! Radio access security! Network access security
2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour39
Further reading Further reading
! 3GPP, “ 3GPP System to Wireless Local Area Network (WLAN) Interworking; System Description,” Tech. rep. 3GPP TS 23.234 v1.10.0, May 2003
! 3GPP, “Feasibility Study on 3GPP System to Wireless Local Area Network (WLAN) Interworking,” Tech. rep. 3GPP TR 22.934 v6.1.0, Dec. 2002
! K. Ahmavaara, H. Haverinen, and R. Pichna, “Interworking Architecture Between 3GPP and WLAN Systems,” IEEE Communications Mag., pp. 74-81, Nov. 2003
! A.K. Salkintzis, C. Fors, and R. Pazhyannur, “WLAN-GPRS Integration for Next-generation Mobile Data Networks,” IEEE Wireless Communications, vol. 9, no. 5, pp. 112-124, Oct. 2002
! A. Doufexi, E. Tameh, A. Nix and S. Armour, “Hotspot Wireless LANs to Enhance the Performance of 3G and Beyond Cellular Networks,” IEEE Communications Magazine, vol. 41, no. 7, pp. 58-65, July 2003
! B. Sarikaya and T. Ozugur, “Dormant Mode Operation Support for Roaming from WLAN to UMTS,” IEEE International Conference on Communications (ICC '03), vol. 2, pp. 1038-1042, 11-15 May 2003
! Shiao-Li Tsao and Chin-Ching Lin, “VGSN: A Gateway Approach to Interconnect UMTS/WLAN Networks,” The 13th IEEE Int. Symposium on Personal, Indoor and Mobile Radio Communications, vol. 1, pp. 275-279, 15-18 Sept. 2002
! ETSI, “Requirements and Architectures for Interworking Between HIPERLAN/3 and 3rd
Generation Cellular Systems,” Tech. rep. ETSI TR 101 957 v1.1.1, Aug. 2001 ! G. M. Koien and T. Haslestad, “Security Aspects of 3G-WLAN Interworking,” IEEE
Communications Mag., pp. 82-88, Nov. 2003