chap18.Wireless Network Security - parkjonghyuk.net · chap18.Wireless Network Security JeongKyu...

chap18.Wireless Network Security

JeongKyu Lee

Email: [email protected]

SeoulTech UCS Lab 2015-1st

Table of Contents

18.1 Wireless Security

18.2 Mobile Device Security

18.3 IEEE 802.11 Wireless LAN Overview

18.4 IEEE 802.11i Wireless LAN Security

18.5 Recommended Reading

18.6 Key Terms, Review Questions, and Problems

2

1. Wireless Security

Some of the key factors contributing to the higher security risk

of wireless networks compared to wired networks include the

following • Channel: Eavesdropping and jamming than wired networks. Wireless

networks are also more vulnerable to active attacks that exploit

• Mobility: Mobility results in a number of risks.

• Resources: Limited memory and processing resources with which to

counter threats, including denial of service and malware.

• Accessibility: Greatly increases their vulnerability to physical attacks.

3

Wireless Network Threats (1/2)• Accidental association : A user intending to connect to one LAN may

unintentionally lock on to a wireless access point from a neighboring

network.

• Malicious association : a wireless device is configured to appear to be a

legitimate access point, enabling the operator to steal passwords from

legitimate users and then penetrate a wired network through a legitimate

wireless access point.

• Ad hoc networks : peer-to-peer networks between wireless computers

with no access point between them

• Nontraditional networks : Nontraditional networks and links, such as

personal network Bluetooth devices, barcode readers, and handheld

PDAs, pose a security risk in terms of both eavesdropping and

spoofing.

4


Wireless Network Threats (2/2)• Identity theft (MAC spoofing): This occurs when an attacker is able to

eavesdrop on network traffic and identify the MAC address of a

computer with network privileges.

• Man-in-the middle attacks: This attack involves persuading a user and

an access point to believe that they are talking to each other when in

fact the communication is going through an intermediate attacking

device. Wireless networks are particularly vulnerable to such attacks.

• Denial of service (DoS): The wireless environment lends itself to this

type of attack, because it is so easy for the attacker to direct multiple

wireless messages at the target.

• Network injection: A network injection attack targets wireless access

points that are exposed to nonfiltered network traffic, such as routing

protocol messages or network management messages. An example of

such an attack is one in which bogus reconfiguration commands are

used to affect routers and switches to degrade network performance.

5


6

Wireless Security Measures (1/2)Securing Wireless Transmissionsprincipal threats to wireless transmission are eavesdropping, altering or

inserting messages, and disruption

• Signal-hiding techniques: Organizations can take a number of measures

to make it more difficult for an attacker to locate their wireless access

points, including turning off service set identifier (SSID) broadcasting by

wireless access points; assigning cryptic names to SSIDs; reducing

signal strength to the lowest level that still provides requisite coverage;

and locating wireless access points in the interior of the building, away

from windows and exterior walls. Greater security can be achieved by

the use of directional antennas and of signal-shielding techniques.

• Encryption: Encryption of all wireless transmission is effective against

eavesdropping to the extent that the encryption keys are secured.


7

Wireless Security Measures (2/2)Securing Wireless Access Points The main threat involving wireless access points is unauthorized access to the

network. The principal approach for preventing such access is the IEEE

802.1X standard for port-based network access control.

Securing Wireless Networks1. Use encryption. Wireless routers are typically equipped with built-in

encryption mechanisms for router-to-router traffic.

2. Use antivirus and antispyware software, and a firewall.

3. Turn off identifier broadcasting. If a network is configured so that

authorized devices know the identity of routers, this capability can be

disabled, so as to thwart attackers.

4. Change the identifier on your router from the default.

5. Change your router’s pre-set password for administration. This is another

prudent step.

6. Allow only specific computers to access your wireless network. A router can

be configured to only communicate with approved MAC addresses.


Security Threats (1/4)

SP 800-14 lists seven major security concerns for mobile

devices.

• Lack of Physical Security Controls

Mobile device is required to remain on premises, the user

may move the device within the organization between secure

and nonsecured locations. theft and tampering are realistic

threats.

The threat is two fold: 1) A malicious party may attempt to recover sensitive data from the device

itself

2) may use the device to gain access to the organization’s resources.

8



• Use of Untrusted Mobile Devices

In addition to company-issued and company-controlled

mobile devices, virtually all employees will have personal

smartphones and/or tablets. The organization must assume

that these devices are not trustworthy.

• Use of Untrusted Networks

If a mobile device is used on premises, it can connect to

organization resources over the organization’s own in-house

wireless networks.

Thus, traffic that includes an off-premises segment is

potentially susceptible to eavesdropping or man-in-the-

middle types of attacks. 9



• Use of Applications Created by Unknown Parties

By design, it is easy to find and install third-party

applications on mobile devices. This poses the obvious risk

of installing malicious software.

• Interaction with Other Systems

Unless an organization has control of all the devices involved

in synchronization, there is considerable risk of the

organization’s data being stored in an unsecured location,

plus the risk of the introduction of malware.

10



• Use of Untrusted Content

Mobile devices may access and use content that other

computing devices do not encounter..

• Use of Location Services

The GPS service, it creates security risks. An attacker can

use the location information to determine where the device

and user are located, which may be of use to the attacker.

11


Fig1. Mobile Device Security Elements

12


13

• Station : The device is compatible with MAC and physical layer to IEEE802.11

• Access point (AP) : Station has a function. And an object that provides access to the distribution system over a wireless medium

• Basic service set (BSS) : Station set of all possible approaches, including the AP and the AP

• Extended service set (ESS) : A set of two or more mutually connected BSS in the expanded form of the BSS.

• Distribution system (DS) : BBS and the LAN and connects the system to generate an extended service set


14

• MAC protocol data unit (MPDU) : Unit for exchanging data using a physical layer service between the two MAC entities

• MAC service data unit (MSDU) : One information unit between MAC users

• Coordination function : Station logic function which operates within the BBS is decided to permit the transfer and acceptor Protocol data units (PDUs)


15

IEEE Standard Protocol Model

.....

Transport Layer

Network Layer

Data Link Layer

Physical Layer

OSI 7Layer


Fig2. IEEE 802.11 Protocol Stack

16

MSDU

Aggregation

MAC Layer

MPDU

Aggregation

Physical

Layer

LLC Layer

MPDU Format

MPDU FlowChart


Fig3. General IEEE 802 MPDU Format

17

• Direct communication between the client stations in the BSS does not occur.

• All Station within the BSS is a BSS, which is called directly transmitted and received without passing through the AP Independent BSS (IBSS).


Fig5. IEEE 802.11 Extended Service Set

18

Primary service used by stations to exchange MPDUs when the MPDUs must traverse the DS to get from a station in one BSS to a station in another BSS

Primary service used by stations to exchange MPDUs when the MPDUs must traverse the DS to get from a station in one BSS to a station in another BSS

Service enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN. The term integrated refers to a wired LAN that is physically connected to the DS and whose stations may be logically connected to an IEEE 802.11 LAN via the integration service.

Service enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN. The term integrated refers to a wired LAN that is physically connected to the DS and whose stations may be logically connected to an IEEE 802.11 LAN via the integration service.


19

Association : Establishes an initial association between a station and an AP. Before a station can transmit or receive frames on a wireless LAN, its identity and address must be known. For this purpose, a station must establish an association with an AP within a particular BSS. The AP can then communicate this information to other APs within the ESS to facilitate routing and delivery of addressed frames.

Reassociation : Enables an established association to be transferred from one AP to another, allowing a mobile station to move from one BSS to another.

Disassociation : A notification from either a station or an AP that an existing association is terminated. A station should give this notification before leaving an ESS or shutting down. However, the MAC management facility protects itself against stations that disappear without notification.


20

• Wired Equivalent Privacy (WEP) algorithm

– Provides security between the wireless LAN operated as part of the 802.11.

• Wi-Fi Protected Access (WPA)

– Was created by the WiFi Alliance.– 802.11i security protocols to be used in the draft version

• Robust Security Network (RSN)

– Recent 802.11i standard form

18.4 IEEE 802.11i Wireless Security

21

• Authentication: Mutual recognition between the user and the AS using the protocol and defines a temporary key generation used between the client and the AP between the wireless link.

• Access control: Use the authentication function, will be done through the proper message routing and key exchange. The implementation of this feature, using a variety of authentication protocols.

• Privacy with message integrity: Encrypting the message with the integrity code can be confirmed that the data has not changed the data in the MAC layer.

802.11i RSN security services


22

Fig6. Elements of IEEE 802.11

CBC-MAC = Cipher Block Chaining Message Authentication Code (MAC)CCM = Counter Mode with Cipher Block Chaining Message Authentication CodeCCMP = Counter Mode with Cipher Block Chaining MAC ProtocolTKIP = Temporal Key Integrity Protocol

Elements of RSN


23

Fig7. IEEE 802.11i Phases of Operation


Discovery Phases(1/3)

24

The Discovery phase determines the technology used in the following areas.

l Confidentiality Integrity Protocol MPDU

l Authentication Method

l Cryptographic key management scheme


25

Encryption options are as follows for the confidentiality and integrity protection.

l WEP

l TKIP

l CCMP



26

MPDU exchange

l network and security features

l Open System Authentication

l Association



Authentication Phases(1/2)

27

• Authentication step of performing authentication between a STA and AS.

• Should allow an authenticated Station will use the network.

• Station to communicate with the network, and that we are guaranteeing the fair.

• Certification process step is composed of three steps: Connect to AS. ü EAP exchange. ü Secure Key Delivery.


28

1. Connect to AS• Station is connected to the AS

sends a request to their AP.• AP is a response to the received

request, and transmits the access request to the AS.

2. EAP ( Extensible authentication protocol) exchange • Do the mutual authentication

between the Station and the AS.

3. Secure Key Delivery: • The AS generates a Master

Session Key (MSK) after mutual authentication and sent to the Station.

• Master keys are transferred to the Station through the AP.

Authentication Phases(2/2)


Key Management Phases(1/3)

29

Pre-shared key AAA Key

Pairwise master key

Pairwise transient key

EAPOL key

confirmation key

EAPOL key

Encryption keyTemporal Key

사용자 정의

Out-of-band path EAP method path

PSK AAAK or MSK

PMK

PTK

KCK KEK TK

No modification

Possible truncation

PRF(pseudo-random function)Using HMAC-SHA-1


Fig8. Pairwise key hierarchy

30

• The key management phase, various encryption key is generated and being distributed Station.

• Pairwise key pair are commonly used for communication between the Station and the AP.

• This key is dynamically generated from a master key and limited use of time..

• The top layer has two kinds of keys are present.ü PSK is AP and Station shared

key to the dictionary..ü MSK is generated during the

authentication phase is different from the generation method according to the authentication protocol.



31

• Pairwise master key is generated in the following manner.ü PSK is used, generates a PMK with

PSKü MSK Gaga used if the PMK is cut

using some MSK.

• After the end of the final stage of certification is the AP and Station to share the PMK.



• PMK is finished and after mutual authentication between the AP Station is used to generate a PTK is used for communication.

• PTK = HMAC( PMK ||the MAC addresses of the STA and AP|| nonces ).

32


Fig9. Group key hierarchy

33


Fig10. IEEE 802.11i Keys for Data Confidentiality and Integrity Protocols

34


Fig10. IEEE 802.11i Phases of Operation: Four-Way Handshake and Group Key Handshake

35

Protected Data Transfer Phases

The IEEE 802.11i defines TKIP and CCMP two systems to deliver MPDU.

1. TKIP• Message integrity : Then after the data field by attaching a Message

integrity code (MIC) to ensure integrity. MIC is inputted with the destination MAC address, a data field and the key value through the Michael algorithm produces a 64-bit result value.

• Data Confidentiality: The MPDU encrypted data and MIC as RC4 to guarantee confidentiality.

2. CCMP• Message integrity : Use the Cipher Block Chaining Authentication Code.

• Data Confidentiality : The use of 128-bit AES encryption.


Thank You!

36

chap18.Wireless Network Security - parkjonghyuk.net · chap18.Wireless Network Security JeongKyu...

Documents

Transcript of chap18.Wireless Network Security - parkjonghyuk.net · chap18.Wireless Network Security JeongKyu...