Security and Cooperation in Wireless Networks Chapter 1

Security and Cooperation in Wireless Networks Chapter 1

Security and Cooperation in Wireless Networks Chapter 1 The security of existing wireless networks a.Security of cellular networks b.WiFi Security: WEP, WPA, and WPA2 Levente Buttyan and Jean-Pierre Hubaux [--Note: L. Lilien made changes to improve clarity and formatting of slides, including: (1) adding more levels for prioritization of text, (2) changing font to larger size for most slides, (3) splitting many slides into 2 or more slides (necessary due to the above changes) (4) adding emphasis by changing font color to blue (5) removing words that are superfluous in slides (6) improving consistency of slides and the textbook Modifications are 2007-2009 by Leszek T. Lilien. Requests to use L. Liliens slides for nonprofit purposes will be gladly granted upon a written request.--] Why is security more of a concern in wireless? No inherent physical protection Physical connections between devices are replaced by logical associations Dont need physical access to the network infrastructure (cables, hubs, routers, etc.) for xmitting messages Wireless broadcast transmissions /communications Usually, wireless = radio => a broadcast nature Can be overheard by anyone in range Anyone can transmit Received by other devices in range

Interferes with other nearby transmissions Jamming may prevent correct reception 2 Security vulnerabilities for wireless networks eavesdropping is easy messages can be altered or bogus messsages injected by an attacker (it is an example of an active attack) easier to impersonate (= to cheat on identities) replaying previously recorded messages is easy illegitimate access to the network and its services is easy denial of service (DoS) is easily achieved by jamming 3 Security requirements for wireless communication Recall: classic CIA security requirements CIA = confidentiality + integrity + availability Reqs below include CIA (in a different order) ------------------------------------------ authentication origin of received messages must be verified access control limit access to network services to legitimate entities only need permanent access control

checking the legitimacy of an entity only when it joins the network (and its logical associations are established) is not sufficient bec. logical associations can be hijacked confidentiality messages must be encrypted 4 Security requirements for wireless communication (2) integrity malicious modification of messages is possible Even if modifying on-the-fly (during radio transmission) is not so easy integrity of received messages must be verified privacy incl. location privacy do not reveal the location of the user, nor the party with which she communicates law enforcement agencies must have access to these two pieces of info non-repudiation e.g., prevent possibility that a user, after getting a message/service, pretends that she did not

5 Security requirements for wireless communication (3) availability in particular, guarantee a fair share of the radio resource e.g., for all mobile users located in the same radio domain provide higher priority for more important communications e.g., an emergency call from a cellular phone other security reqs: replay detection freshness of received messages must be checked protection against jamming 6 Securing wireless networks a. Security of cellular networks Security in European cellular nets (similar in US cell nets) - in GSM (Global System for Mobile Communications) - A European 2G - in UMTS

(2-nd generation) cellular network (Universal Mobile Telecommunications System) - A European 3G (3-rd generation) cellular network 7 REFRESHER SLIDES (quick presentation till Slide 23) Introduction To Cellular Systems (see L. Liliens Section 1 and Section 9 slides for CS6910: Pervasive Computing S07) Washington, DC Cincinnati, OH [LTL:] User moves but phone # unchanged Maintaining the telephone number across geographical areas in a wireless and mobile system

8 Generations of Wireless Systems & Services 1G - First Generation Primarily for voice communication Using FDM (frequency division multiplexing) 2G - Second Generation Emphasis still on voice communication but allows for Data communication Using TDM (time division multiplexing) Indoor/outdoor and vehicular environment 3G - Third Generation Integrated voice, data, and multimedia communication Need for: High volume of traffic / Real time data communication Flexibility, incl. Frequent Internet access Multimedia data transfer Compatibility with 2G

Using compression Without compromising quality 9 2007 by Leszek T. Lilien Future: 4G 4G Expected to implement all standards from 2G & 3G Infrastructure only packet-based, all-IP Some of the standards paving the way for 4G: WiMax WiBro (Korean) 3GPP Long Term Evolution Improves the UMTS mobile phone standard (Europe) Work-in-progress technologies E.g., HSOPA, a part of 3GPP Long Term Evolution 10 2007 by Leszek T. Lilien Coverage Aspect of Next Generation Mobile Communication Systems Satellite

In-Building Urban Suburban Global Picocell Microcell Macrocell Global 11 Fundamentals of Cellular Systems Service area - Ideal cell area (2-10 km radius) (circle) Cell Alterative shape of a cell (square) BS MS MS Hexagonal cell area used in most models

Illustration of a cell with a mobile station (MS) and a base station (BS) [LTL:] Cell shapes (above) Actually, cell may have a zigzag shape Hexagon is a good approximation in practice Also, gives non-overlapping cells (used by clever bees for beehives) E.g., circles would either overlap, or would have gaps in between 12 MS, BS, BSC, MSC, and PSTN wired links PSTN Home phone


BSC BS MS BS MS BS MS [LTL:] Several BSs connected via wireline links to one BSC (BS controller) Several BSCs connected via wireline links to one MSC (Mobile Switching Center) Several MSCs interconnected via wireline links to PSTN (Public Switched Telephone Network) and the ATM backbone 13 BS Structure BS consists of Base Tranceiver System (BTS) Includes tower & antenna BSC Contains all associated electronics

14 2007 by Leszek T. Lilien MSC Database Supporting MS Mobility & Incoming Call Scenario MSC database for supporting MS mobility 1) Home location register (HLR) for MS Located at the home MSC for MS Where MS is registered, billed, etc. Indicates current location of MS Could be within home MSCs area OR Could be in the area of any MSC in the world 2) Visitor location register (VLR) on each MSC Contains info on all MSs visiting area of this MSC Incoming call scenario Based on the called #, incoming call for an MS is directed to the HLR of the home MSC for this MS HLR redirects the call to MSC/BSC/BS where the MS is now VLR of the current MSC has info on MS (one of visiting MSs) 15

2007 by Leszek T. Lilien Control and Traffic Channels l ne n a ch ol r t n l co ne n ) ha nk i c l rol wn t o n

el d o ( n c n k) ha ard n c i w l r fic up f Fo ( a el ) tr rse n e k n v

a lin n Re ch w c ffi do ( a r )t ard k w n r li p Fo u e( s r ve e R Note: Forward/reverse in the

U.S., downlink/uplink elsewhere Mobile Station Base Station [LTL:] 4 simplex channels needed for control & traffic 2 control channels Exchange control msgs Forward channel & reverse channel 2 traffic channels For data Forward channel & reverse channel 16 Steps for a Call Setup from MS to BS

[LTL:] Steps for a call setup from MS to BS When MS initiates a call BS MS 1. Need to establish path 2. Frequency/time slot/code assigned (FDMA/TDMA/CDMA) Time 3. Control information acknowledgement 4. Start communic. on assigned traffic channel 17 Steps for a Call Setup from BS to MS [LTL:] Steps for a call setup from BS to MS: When MS responds to a call (another MS calls this MS) BS MS 1. Call for MS # pending 2. Ready to establish a path 3. Use frequency / time slot / code

(FDMA/TDMA/CDMA) Time 4. Ready for communication 5. Start communic on assigned traffic channel 18 9.2. Cellular System Infrastructure cont. 1 The infrastructure in more detail 1) Discussed in Sec. 1 (Pervasive Computing): BTS = base transceiver system (tower + antenna) (tranceiver = transmitter + receiver) BSC = BS controller (all electronics controlling BTSs, even k*100 BTSs) BS = base station = BTS + BSC NOTE: We sometimes omit mentioning BTS, as if BTS + BSC were co-located & were an integrated BS Sometimes (as in the previous Figure) BTS is denoted as BS

HLR = home location register VLR = visitor home location register 2) Not discussed yet: AUC = authentication center EIR = equipment identity register (Modified by 9.2. Cellular System Infrastructure cont. 3 HLR and VLR used in a way analogous to mail forwarding by the U.S. Postal Service - fig. above (pp. 190/- 192)

(Modified by 20 9.2. Cellular System Infrastructure cont. 4 Unlike in the USPS example, in cellular need not only forward link (home MSC -> visiting MSC) Need also a backward link (visiting MSC -> home MSC ) see fig. below for the bi-directional link Backward link needed for, e.g.: Billing - done only by home MSC (mobile switching center) Look at the list of access specifications kept by home MSC Is MS active or not (e.g., delayed payment) Local calls only or long distance calls allowed or both Listing of calls made Listing of charges (Modified by 21

The end of the Introduction to Cellular Systems 22 GSM Security: The SIM card (Subscriber Identity Module) Security reqs for SIMs (SIMs implemented as smart cards) Tamper-resistance Protected by a PIN code (checked locally by the SIM) Removable from the terminal Contains all end-user-specific data required in the Mobile Station: IMSI: International Mobile Subscriber Identity users identity) (permanent

PIN TMSI (Temporary Mobile Subscriber Identity) Ki : Users secret key Kc : Ciphering key List of the most recent call attempts List of preferred operators Supplementary service data (abbreviated dialing, last short messages received,...) 23 Authentication principle of GSM * Uses challenge-response principle + Subscriber (her SIM card) receives a random # (RAND) as a challenge + 2 B authenticated, subscriber (SIM) must compute a correct response - Computed from the challenge (RAND) and long-term secret key (K) K known only to Subsciber (her SIM) and the operator For more-interesting case, RANDsubscriber ensures freshness of response (w/o RAND, attacker could use old consider -authg response) in visited network (not in home network) see Fig. 1.1 PRNG (programmable) RAND #

generator A3, A8 algorithms from GSM specs SRES correct response to the challenge CK encr. key for mobile-to-visited net Communication SRES response to chall. fr. mobile 24 Authentication principle of GSM (2) * Notes: VN = visited network, HN = home network + VN authenticates subscriber w/o knowing K (long term key) - Knows CK (encr. key for mobile-to-visited net communications) - VN needs not consult HN + HN needs not be contacted by VN each time subscriber must be authenticated - Bec. HN can send a few triplets (RAND, SRES, CK) each time it is contacted by VN + Subscriber identity hidden from eavesdroppers by using TMSI - IMSI used for 1st authentication - TMSI assigned to Subscriber by VN after 1st successful authentication - Encrypted with CK

- Mobile uses TMSI to communicate w/ VN + When Subscriber moves to VN2 (another VN),: - VN2 contacts VN1 - VN1 sends TMSI to VN2 25 SKIP-Authentication principle of GSM (original sl.) Mobile Station Visited network Home network Ki IMSI/TMSI IMSI (or TMSI) IMSI Triplets (Kc, R, S) Authenticate (R) Ki R A8

A8 A3 A3 Kc S Triplets R A8 A8 A3 A3 Kc S Auth-ack(S) S=S? S=S? 26 SKIP-Cryptographic algorithms of GSM Random number

Users secret key R Ki A3 A8 S Kc R Authentication A5 Triplet Ciphering algorithm Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm)


CIPHERTEXT SEQUENCE PLAINTEXT SEQUENCE Receiver (Network or MS) Kc = ciphering key A5 = ciphering/deciphering (standardized algorithm) 28 Conclusion on GSM security Security services provided by GSM security architecture: Focus on the protection of the air interface No protection on the wired part of the network Neither for privacy nor for confidentiality Allow the visited network access to almost all data Except the secret key of the end user Generally robust but a few successful attacks have been reported: faking base stations

cloning SIM card 29 UMTS Security Architecture (1a) Motivation and goals New kind of service providers content providers, HLR only service providers, HLR = Home Location Register Increased control for users over their service profiles Enhanced resistance to active attacks Increased importance of non-voice services Reuse GSM (2G) security principles 30 UMTS Security Architecture (1b) Reusing GSM security principles (for GSM): Removable hardware security module In GSM (2G): SIM card In UMTS (3G): USIM (User Services Identity Module) Radio interface encryption Limited trust in a visited network K

(long-term key) never revealed to it Protection of the end users identity Especially on the radio interface Using TMSI instead of IMSI 31 UMTS Security Architecture (2a) Weaknesses of GSM security that require corrections: Only unilateral authentication Authenticates only MS net (none in reverse) (mobile station) to BS (base station) in visited => Allows for fake BSs Then run MITM (man-in-the middle)

Using IMSI catchers attacks from it (devices for protocol testing) Facilitated by unability of subscriber to verify freshness of the received challenge Lack of integrity protection for communication/ signalling over radio Facilitates using fake BSs Integrity not critical for voice communications (just some voice distortion) but ... ... Integrity critical for data communications (each bit matters!) 32 UMTS Security Architecture (2b) Weaknesses of GSM security that require corrections cont. Short length of encryption key Weaknesses in implementations of the A3 and A8 algorithms Allow compromising K (long-term key) This allows cloning SIM

... 33 UMTS Security Architecture (3) Principles for new security architecture in UMTS Fix the weaknesses of GSM Without changing general GSM security principles => Extending them Reverse authentication (BS to MS) Integrity protection New security features in 3G Address the weaknesses Without changing general GSM security principles Instead, extend GSM security principles Reverse authentication (BS to MS) Integrity protection 34 Authentication in UMTS Details GSM triplet (RAND, SRES, CK) replaced by a quintuple the UMTS authentication vector : (RAND, XRES, CK, IK, AUTN) where: RAND as before XRES expected response to RAND CK as before

IK integrity protection key AUTN token that: (a) authenticates HN (home net) to MS (b) Proves freshness of RAND 35 Authentication in UMTS (2) Construction of authentication vector in UMTS standard SQN = sequence # maintained synchronously by MS and HN AK = anonymity key: to hide SQN value from eavesdroppers AMF = auth. & key mngmt field: to pass parameters from HN to MS MAC = message authentication code (nothing to do with MAC sublayer) Notes: f1 f5 = one-way (hashing) - - the XOR operation - SQN encoded with AK to protect privacy of MS (otherwise eavesdropper could associate different executions of authorization protocol with consecutive sequence #s to the same subscriber) functions 36

MS Authentication in UMTS-3GPP Visited Network Home Network SQN Generation Generationofof cryptographic cryptographicmaterial material K (users secret key) K User authentication request RAND(i) || AUTN(i) IMSI/TMSI 1)1) Verify VerifyAUTN(i): AUTN(i): (cf. next (cf. nextslide)

slide) - -Generate AK Generate AK - -Decode DecodeSQN SQN - -Verify VerifyMAC MAC - -Verify SQN(i) Verify SQN(i) 2)2)Compute ComputeRES(i) RES(i)(next) (next) User authentication response RES(i) K 3)3)Compute ComputeCK(i) CK(i)(next) (next) 4)4)Compute IK(i) (next) Compute IK(i) (next) RAND(i)

i-th Authentication vector Recall: AK = anonymity key: to hide SQN value from eavesdroppers SQN = sequence # maintained synchronously by MS and HN MAC = message authentication code Compare CompareRES(i) RES(i) and andXRES(i) XRES(i) Select SelectCK(i) CK(i) and IK(i) and IK(i)

From now on CK(i) & IK(i) used to protect 37 integrity & confidentiality of msgs User Authentication Function in the USIM AUTN(i) RAND(i) SQN AK AMF MAC f5f5 AK(i) SQN(i) K f1f1 f2f2 f3f3 f4f4

XMAC (i) (Expected MAC) RES(i) (Result) CK(i) (Cipher Key) IK(i) (Integrity Key) Verify VerifyMAC MAC==XMAC XMAC(if (ifyes, yes,SQN SQNoriginated originatedininMSs MSshome homenetwork) network) Verify that SQN(i) > most

recent SQN stored by MS Verify that SQN(i) > most recent SQN stored by MS USIM: User Services Identity Module 38 Conclusion on UMTS security Some improvement w.r.t. 2G Cryptographic algorithms are published Integrity of the signalling messages is protected Quite conservative solution Privacy/anonymity of the user not completely protected Complicates 2G-3G interoperability Might open security breaches 39 Securing wireless networks b. WiFi Security: WEP, WPA, & WPA2 - intro to WiFi - WEP - intro to WEP - WEP flaws - WEP Lessons learnt - 802.11i

- Summary of WiFi security b.1. Introduction to WiFi (1) STA = mobile STAtion AP = Access Point connecte d STA scanning on each channel association request association response AP beacon - MAC header timestamp beacon interval capability info SSID (network name) supported data rates radio parameters power slave flags 41

Introduction to WiFi (2) Internet AP 42 b.2. WEP b.2.1. Intro to WEP WEP = Wired Equivalent Privacy WEP is a part of the IEEE 802.11 specification goal make WiFi net at least as secure as a wired LAN that has no particular protection mechanisms WEP was never intended to achieve strong security services access control to the network message confidentiality message integrity 43 WEP Access control before association, STA needs to authenticate itself to AP authentication is based on a simple challengeresponse protocol: STA AP: authenticate request AP STA: authenticate challenge (r)

r is 128 bits long STA AP: authenticate response (eK(r)) AP STA: authenticate success/failure if authentication fails, no association is possible if authentication succeeds: STA sends an association request AP respondS with an association response 44 WEP Message confidentiality and integrity WEP encryption - based on RC4 (a stream cipher developed in 1987 by Ron Rivest for RSA Data Security, Inc.) Operation: Sending message: RC4 generator is initialized with: a shared secret (shared between STA & AP) an initialization vector (IV) 24 bits RC4 produces a key stream (a pseudo-random byte sequence) Key stream is XORed with the message Msg reception is analogous Essential: different key stream for each message shared secret - the same for each message IV - changes for every message WEP integrity protection - based on an encrypted CRC value

Operation: Integrity check value (ICV) is computed and appended to the message the message and the ICV are encrypted together 45 WEP Message confidentiality and integrity (2) message || ICV IV secret key RC4 RC4 K ICV = CRC value for message K = key stream encode IV message || ICV Shaded means

secret decod e IV secret key RC4 RC4 K message || ICV Fig. 1.3. Encryption and decryption in WEP 46 WEP Kinds of Keys WEP standard - two kinds of keys are allowed Default key Also called: shared key, group key, multicast key, broadcast key, key Key-mapping keys Also called: individual key, per-station key, unique key id:X | key:abc Default key

id:Y | key:abc id:Z | key:abc id:X | key:def Key-mapping key id:Y | key:ghi key:abc id:Z | key:jkl id:X | key:def id:Y | key:ghi id:Z | key:jkl In practice, often only default keys are supported Default key - manually installed in every STA & AP Each STA uses the same shared secret key (see the Default key fig.) => in principle, STAs can decrypt each others messages 47

WEP Management of default keys The default key is a group key Group keys need to be changed when a member leaves the group E.g., when someone leaves the company and shouldnt have access to its network anymore Practically impossible to change the default key in every device simultaneously => WEP supports multiple default keys for smooth change of keys One of the keys is the active key Used currently to encrypt messages Any default key can be used to decrypt messages The message header contains a key ID Allows the receiver to find out a key to decrypt the message (allows the receiver to know default keys knowing one is enough) 48 WEP The key change process time STA1 AP STA2

abc* --- a, b, c default keys * indicates the active key abc* --- Note: * New STA can read msg encoded with c (since it abc* --- abc* def abc def* includes it as a deafult key) * AP can read msg encoded with f (since it includes it as a default key)

--def* abc def* --def* --def* 49 b.2.2. WEP flaws WEP Flaws in Authentication & Access Control Flaw 1: Authentication is not mutual (one-way only) AP is not authenticated by STA (mobile STAtion) STA is at risk to associate with a rogue AP Flaw 2: The same shared secret key used for authentication & encryption I authenticate X if X uses one of my group keys for encrypting her messages I dont authenticate Y if his msg cant be decrypted using one of my group keys Bad! Weaknesses in any of the two protocols can be used to break the key for the other protocol

Flaw 3: STA authenticated only at connection time => Access control is not continuous Once STA has authenticated with (& associated to) AP, an attacker can send messages using the MAC (medium access control) address of STA Correctly encrypted messages cannot be produced by the attacker (does not know a group key) But attacker can replay STA msgs (e.g., STA1 msg replayed as STA 5 msg) => STA can be impersonated (next slide) 50 WEP flaws in Authentication and Access Control (2a) Flaw 4: Using RC4 for encrypting random challenge Recall: Authentication based on a challengeresponse protocol: AP STA: C STA receives C, calculates response: K = a 128-bit key stream (RC4 output)

C IV secret key RC4 RC4 C = challenge K STA encodes IV C K STA AP: IV || ( C K ) 51 WEP flaws in Authentication and Access Control (2b) An attacker can: Capture challenge C - when sent from AP to STA

Capture challenge encrypted in response R = (C K) when sent from STA to AP Compute key stream: K = C (C K) Later, attacker can use key stream K to impersonate a legitimate STA: AP attacker: C C any challenge! attacker AP: IV || ( C K ) - correct attackers response to any challenge Note: IV does not help to prevent the attack - Since selected by the sender i.e., the attacker 52 WEP Flaws in Replay Protection & Integrity Replay protection: none at all IV not mandated to be incremented after each msg Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption ICV appended to clear message M (see Fig. 1.3) is the CRC value for M (CRC = cyclic redundancy code) CRC is a linear function w.r.t. XOR: CRC(X Y) = CRC(X) CRC(Y)

- WEP-encrypted message M (cf. Fig. 1.3): (M || CRC(M)) K 53 WEP Flaws in Replay Protection & Integrity (2) Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption cont. - Attacker observes encrypted message M: (M || CRC(M)) K M = changes that attacker wants to make in M - Unforunately , the attacker can compute CRC(M) for any M - Hence, the attacker can also compute encrypted message (M M) as follows: Captured encrypted message M encrypted M Att. uses captured = encrypted msg, then adds the last component (that ( (M || CRC(M)) K) (M || CRC(M) ) = includes no K! -- so needs NOT know K!) ((M M) || (CRC(M) CRC(M))) K = By rules of math, the

effect is AS IF the att. knew K (even so ((M M) || CRC(M M)) K - encrypted does NOT know K) 54 message (M M) WEP Flaws in Confidentiality Flaw 1: IV reuse IV space is too small - only 24 bits => there are about 17 million (16,777,216) possible IVs - IV reused after about 17 million msgs WiFi device xmits approx. 500 full-length frames per sec. => => IV space is used up in a few hours => Repeating IVs means repeating key streams (pseudo-random sequences) used for encryption 55 WEP Flaws in Confidentiality (2) Flaw 2: IV initialization & incrementing Many implementations initialize IV with 0 on startup & incremented by 1 for each next msg If several devices are switched nearly simultaneously, all use the same sequence of IVs If they all use the same secret key (which is the common case for a default key for a group of devices under a single AP), then same key

streams (pseudo-random sequences) used for encryption => An attacker does not need to wait for msgs using repeated key streams (due to using up all IV values) Gets messages encrypted with the same key stream immediately 56 WEP flaws in Confidentiality (3) Flaw 3 (total collapse of WEP): Weak RC4 keys For weak keys (some seed values), the beginning of the RC4 output is not really random One can infer the bits of the seed from the first few bytes of the RC4 output => breaking the key is made easier Crypto experts suggest: always throw away the first 256 bytes of the RC4 output but WEP doesnt do that 57 WEP flaws in Confidentiality (4) Flaw 3 (total collapse of WEP): Weak RC4 keys cont.

Due to the use of ever-changing IV values, eventually a weak key will be used Attacker will know that Because IVs are sent in the clear (see Fig. 1.3) - WEP encryption can be broken: - by automatic key-cracking tools! - after eavesdropping on only k * 100,000 of msgs! This is the most serious flaw Since breaking WEP means finding out the secret key! (see Fig. 1.3) Can read and fake messages at will 58 b.2.3. WEP Lessons learnt 1. Engineering security protocols is difficult One can combine otherwise strong building blocks in a wrong way & obtain an insecure system at the end Example 1: Stream ciphers (e.g., RC4) alone are OK Challenge-response protocols for authentication are OK But they shouldnt be combined (as in WEP)

Example 2: Encrypting a msg digest (such as CRC) to obtain an ICV is a good principle But it doesnt work if the message digest function is linear w.r.t. the encryption function (as is the case for CRC, which is linear w.r.t. the XOR function used for encryption in WEP) 59 WEP Lessons learnt 1. Engineering security protocols is difficult cont. Use help of a security expert dont do it alone (unless you are a security expert) Functional properties can be tested... ...but security cant be tested - it is a non-functional property => it is extremely difficult to tell if a system is secure or not Using an expert in the design phase pays out (fixing the system after deployment will be much more expensive) experts will not guarantee that your system is 100% secure... ...but at least they know many pitfalls they know the details of crypto algorithms 2. Avoid the use of WEP (as much as possible)

60 b.3. Overview of 802.11i After the collapse of WEP => IEEE started to develop a new security architecture => 802.11i & Robust Security Network (RSN) Main novelties in 802.11i w.r.t. WEP access control model is based on 802.1X flexible authentication framework based on EAP Extensible Authentication Protocol authentication can be based on strong protocols e.g., TLS Transport Layer Security authentication process results in a shared session key prevents session hijacking different functions (encryption, integrity) use different keys derived from the session key using a one-way (hashing) function improved integrity protection 61 improved encryption b.3. Overview of 802.11i (2) 802.11i defines RSN (Robust Security Network) integrity protection & encryption based on AES

not on RC4 anymore nice solution ... ... but needs new hardware => cant be adopted quickly In addition to RSN, 802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol) ugly solution ... ... but no new hardware required runs on old hardware after a software upgrade confidentiality: encryption based on RC4 but WEPs problems have been avoided integrity protection based on Michael (more on it later) authentication, access control, key management 62 same as in RSN b.3. Overview of 802.11i (3) Industrial names (industry, eager to fix WEPs flaws, didnt wait till 802.11i architecture was finalized by IEEE. It quickly produced its own specs, hence had to use different names.) For TKIP: WPA (WiFi Protected Access)

For RSN: WPA2 Chronology [Wikipedia] WEP security specification is a part of the IEEE 802.11 standard ratified in Sept. 1999 RSN & TKIP are defined in IEEE 802.11i, draft standard ratified in June 2004 63 b.3.1. Authentication and access control in 802.11i Authentication and access control in 802.11i Borrowed from the 802.1X standard 802.1x originally for wired LANs 802.1X authentication & access control model next slide 64 802.1X authentication model supplicant sys supplicant supplicant auth server sys authenticator system

services services port authenticator authenticator authentication authentication server server controls LAN the supplicant requests access to the services to the network) (wants to connect the authenticator controls access to the services state of a port) (controls the the authentication server authorizes access to the services the supplicant authenticates itself to the authentication server (via the authenticator) if the authentication is successful:

the authentication server instructs the authenticator to switch the port on the authentication server informs the supplicant that 65 access is allowed Mapping the 802.1X model to WiFi Mapping 802.1X to WiFi : supplicant = STA (mobile device) authenticator = AP (access point) authentication server = server application running on AP or on a dedicated machine port = logical state implemented in software in the AP One more thing added to the basic 802.1X model in 802.11i: successful authentication results not only in switching the port on also in defining a session key between STA (supplicant) and the authentication server the session key is sent to the AP (authenticator) in a secure way using a shared key between the AP and the authentication server 66 this key is usually set up manually Protocols RADIUS, EAPOL, and EAP RADIUS = Remote Access Dial-In User Service to carry EAP messages

& AP (next) [RFC 2865-2869, RFC 2548] (next) between auth server MS-MPPE-Recv-Key attribute is used to transport the session key from auth server to AP RADIUS is mandatory for WPA & optional for RSN EAPOL = EAP over LAN [802.1X] to carry EAP messages (next) between STA & AP to encapsulate EAP messages into LAN protocols e.g., into Ethernet protocols 67 Summary of the protocol architecture TLS TLS(RFC (RFC2246) 2246) EAP-TLS EAP-TLS(RFC (RFC2716) 2716) EAP EAP(RFC

(RFC3748) 3748) EAPOL EAPOL(802.1X) (802.1X) EAP EAPover overRADIUS RADIUS(RFC (RFC3579) 3579) 802.11 802.11 RADIUS RADIUS(RFC (RFC2865) 2865) TCP/IP TCP/IP 802.3 802.3or orelse else STA AP

auth server IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, 68 Protocols RADIUS, EAPOL, and EAP (2) EAP = Extensible Authentication Protocol 3748] [RFC carrier protocol - to transport the messages of real authentication protocols (e.g., TLS) very simple, with four types of messages: EAP request carries messages from the supplicant to the authentication server EAP response carries messages from the authentication server to the supplicant EAP success signals successful authentication EAP failure signals authentication failure authenticator (AP) doesnt understand what is inside the EAP messages it recognizes only EAP success and EAP failure 69

Summary of the protocol architecture TLS TLS(RFC (RFC2246) 2246) EAP-TLS EAP-TLS(RFC (RFC2716) 2716) EAP EAP(RFC (RFC3748) 3748) EAPOL EAPOL(802.1X) (802.1X) EAP EAPover overRADIUS RADIUS(RFC (RFC3579) 3579) 802.11 802.11 RADIUS RADIUS(RFC (RFC2865)

2865) TCP/IP TCP/IP 802.3 802.3or orelse else STA AP auth server IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, 70 Protocols RADIUS, EAPOL, and EAP(3) EAP-TLS = TLS over EAP [RFC 2716] for server & client authentication, generation of master secret only the TLS Handshake Protocol is used TLS master secret becomes the session key mandatory for WPA & optional for RSN

71 Summary of the protocol architecture TLS TLS(RFC (RFC2246) 2246) EAP-TLS EAP-TLS(RFC (RFC2716) 2716) EAP EAP(RFC (RFC3748) 3748) EAPOL EAPOL(802.1X) (802.1X) EAP EAPover overRADIUS RADIUS(RFC (RFC3579) 3579) 802.11 802.11 RADIUS

RADIUS(RFC (RFC2865) 2865) TCP/IP TCP/IP 802.3 802.3or orelse else STA AP auth server IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, 72 SKIP- Summary of the 802.11i protocol architecture 73 EAP in action STA

encapsulated in EAPOL EAPOL-Start AP auth server encapsulated in EAP over RADIUS EAP Response (Identity) EAP Response (Identity) EAP Request 1 EAP Request 1 EAP Response 1 EAP Response 1 ... ... embedded auth. protocol EAP Request (Identity)

EAP Request n EAP Request n EAP Response n EAP Response n EAP Success EAP Success 74 b.3.2. Key management Pairwise master key (PMK) = the session key established between STA & AP as a result of the authentication procedure Pairwise since known only to STA & AP Known also to auth server (AS) - not counted since AS is a trusted entity Master bec. not used directly used to generate encryption & integrity keys Four keys derived from PMK are called the pairwise transient key (PTK) (in singular!) Data-encryption key (DEK) Data-integrity key (DIK) Key-encryption key (KEK)

Key-integrity key (KIK) 75 b.3.2. Key management (2) Special case: AES-CCMP used in RSN (more on it later) Three keys only in its PTK (pairwise transient key) DEK = DIK KEK KIK 76 Four-way handshake protocol Objective: AP & STA exchange their random #s to be used in PTK generation Proves to AP/STA that the other party also knows PMK (result of authenticn) 77 Four-way handshake protocol (2) The protocol: (its msgs are carried by EAPOL) AP: generate Anonce (nonce is a random

#) 1) AP STA: ANonce | KeyReplayCtr (Ctr = counter) STA: generate SNonce and compute PTK 2) STA AP: SNonce | KeyReplayCtr | MICKIK (above msg includes info needed by AP for computing PTK) AP: compute PTK, generate GTK & verify MIC (using KIK to verify MIC) (a successful MIC verific proves to AP that STA has PMK) 3) AP STA: ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK STA: verify MIC and install keys (a successful MIC verific proves to STA that AP has PMK; also, this msg signals that AP is ready to install the keys => ready for encrypting subsequent packets) 4) = STA AP: KeyReplayCtr+1 | MIC KIKusing KIK) MIC Message Integrity Code (computed by the mobile device 78

(ACK to =AP that STA got thereplay msgattacks (3) from AP KeyReplayCtr a counter used to prevent KIK Four-way handshake protocol (3) From now on, data packets sent between STA and AP are protected by DEK & DIK They dont protect msgs broadcast by AP to its STAs Bec. keys for broadcast msgs must be known to all STAs to which AP wants to broadcast => need group transient key (GTK) (next) 79 Group transient key (GTK) Group transient key (GTK) GTK includes: group-encryption key (GEK) group-integrity key (GIK) GTK sent to each STA separately

encrypted with KEK of this single STA 80 Key hierarchies (summary) random generation in AP 802.1X authentication PMK (pairwise master key) GMK (group master key) key derivation in STA and AP key derivation in AP unicast message transmitted between STA and AP GTK (group transient keys): - group encryption key - group integrity key transport to every STA protection

protection (128 bits each) protection PTK (pairwise transient keys): - key encryption key - key integrity key - data encryption key - data integrity key broadcast messages transmitted from AP to STAs 81 b.3.3. TKIP and AES-CCMP Recall: 1) 802.11i specs define security architectures: * Old sec architecture (flawed) - protocol: WEP WEP security specification is a part of the IEEE 802.11 standard (Sept.99 ) [Wikipedia] * New sec architecture - protocols: Supersedes WEP, defined as IEEE 802.11i, draft standard ratified in June04, [Wikipedia]

+ RSN - uses AES cipher (instead of RC4 cipher) - needs new h/w + TKIP (optional protocol) - uses RC4 cipher - uses old h/w 2) Industry specs define security architectures: + WPA (WiFi Protected Access) - based on TKIP + WPA2 - name used for RSN by many WiFi manufacturers 82 TKIP and AES-CCMP Summary: AES used in RSN (=WPA2) RC4 used in TKIP & WPA 83 TKIP TKIP runs on old hardware (that supports RC4),

but ... ...WEP weaknesses are corrected by TKIP TKIP fix for integrity: Michael - new msg integrity protection mechanism MIC (Message Integrity Code) value is added at SDU level (service data unit level) before fragmentation into PDUs - that is, MIC value added to data received by MAC layer from higher layers before these data are fragmented implemented in the device driver (in software) 84 TKIP (2) TKIP fix for confidentiality: (recall: IV used as a replay counter) to fix IV reuse problem: increase IV length to 48 bits (from 24 bits) to fix weak keys problem: use per-packet keys (prevents attacker from observing a sufficient # of msgs encrypted with the same, potentially weak, key)

next sl.: new IV mechanism & generation of msg keys 85 TKIP Generating RC4 keys 48 bits - This creates difficulty: the old WEP hardware still expects a 128-bit RC4 seed value. => 48-bit IV & 104-bit key must be compressed into 128 bits. The figure shows how this is done, that is shows generating RC4 seed values keys IV DEK (data encryption key) upper lower 32 bits 16

bits from PTK 128 bits key keymix mix (phase (phase1) 1) dummy byte Recall: - IV size in TKIP is increa-sed from 24 to 48 bits. MAC address key keymix mix (phase (phase2) 2)

IV d IV per-packet key 3x8 = 24 bits 104 bit RC4 seed value (128 bits) 86 AES-CCMP (used in RSN) AES = AES cipher algorithm CCMP = CTR mode + CBC-MAC encryption based on CTR mode (using AES next slide) integrity protection based on CBC-MAC (using AES below) SKIP- Calculation of CBC-MAC CBC-MAC is computed over the MAC header, CCMP header, and the MPDU (fragmented data) mutable fields are set to zero input is padded with zeros if length is not multiple of 128 (bits) CBC-MAC initial block: flag (8) priority (8)

source address (48) packet number (48) data length (16) final 128-bit block of CBC encryption is truncated to 87 (upper) 64 bits to get the CBC-MAC value AES-CCMP SKIP- CTR mode encryption MPDU and CBC-MAC value is encrypted, MAC and CCMP headers are not format of the counter is similar to the CBC-MAC initial block data length replaced by counter counter initialized with 1 and incremented after each encrypted block 88 SKIP- b.3.3. Bluetooth P. 27 - 31 89 b.4. Summary of WiFi security Security always considered important for WiFi Early solution based on WEP seriously flawed

not recommended to use 802.11i - the new security standard for WiFi access control model based on 802.1X flexible authentication based on: EAP upper layer authentication protocols authentication) (e.g., TLS, GSM improved key management TKIP uses RC4 => runs on old hardware but corrects WEPs flaws mandatory in WPA, optional in RSN (=WPA2) AES-CCMP uses AES in CCMP mode (CTR mode and CBC-MAC) 90 needs new hardware that supports AES Recommended books V. Niemi and K. Nyberg. UMTS Security. Wiley, 2003 J. Edney, W. Arbaugh. Real 802.11 Security: WiFi Protected Access and 802.11i. Addison-Wesley, 2004. Caution: books describing standards age very quickly (especially in this field) ! 91

THE END 92 93 94 SKIP- Generation of the authentication vectors (by the Home Environment) Generate GenerateSQN SQN Generate GenerateRAND RAND AMF K f1f1 f2f2 f3f3 f4f4 f5f5

MAC (Message Authentication Code) XRES (Expected Result) CK (Cipher Key) IK (Integrity Key) AK (Anonymity Key) Authentication Authenticationtoken: token: Authentication Authenticationvector: vector: AUTN AUTN:

:((SQN SQN AK AK) )AMF AMF MAC MAC AV AV : :RAND RAND XRES XRES CK CK IK IK AUTN AUTN AMF: Authentication and Key Management Field 95 SKIP- More about the authentication and key generation function

In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1f5* is based on the Rijndael algorithm 96 SKIP- Authentication and key generation functions f1f5* RAND SQN||AMF OP OPc EK OPc EK OPc OPc

OPc rotate by r1 c1 rotate by r2 c2 EK f1 rotate by r3 c3 EK f1* f5 OP: OP:operator-specific operator-specificparameter parameter r1,,

r1,,r5: r5:fixed fixedrotation rotationconstants constants c1,, c1,,c5: c5:fixed fixedaddition additionconstants constants f2 OPc rotate by r4 c4 EK OPc OPc OPc OPc c5

EK OPc f3 rotate by r5 EK OPc f4 f5* EEK : :Rijndael block cipher with K Rijndael block cipher with 128 128bits bitstext textinput inputand and128 128bits bitskey key 97

SKIP- f9 integrity function COUNT || FRESH || KASUMI ||DIRECTION||1|| 00 IK KASUMI KASUMI: KASUMI:block blockcipher cipher(64 (64bits bitsinput, input, 64 bits output; key: 128 bits) 64 bits output; key: 128 bits) PS: PS:Padded PaddedString String


MAC-I (left 32-bits) 98 SKIP- Ciphering method LENGTH BEARER COUNT-C CK COUNT-C DIRECTION f8f8 CK KEYSTREAM BLOCK PLAINTEXT BLOCK Sender (Mobile Station or

Radio Network Controller) LENGTH BEARER DIRECTION f8f8 KEYSTREAM BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Receiver (Radio Network Controller or Mobile Station) BEARER: BEARER:radio radiobearer beareridentifier identifier COUNT-C: COUNT-C:ciphering

cipheringsequence sequencecounter counter 99 SKIP- f8 keystream generator COUNT || BEARER || DIRECTION || 00 KM: KM:Key KeyModifier Modifier KS: KS:Keystream Keystream CK KM KASUMI Register BLKCNT=0 CK BLKCNT=1 KASUMI

KS[0]KS[63] CK BLKCNT=2 KASUMI CK BLKCNT=BLOCKS-1 KASUMI CK KASUMI KS[64]KS[127] KS[128]KS[191] 10 0 SKIP- Detail of Kasumi L0 32 R0 32

64 FL1 KL1 KO1 , KI1 FO1 KO2 , KI2 FO2 FL3 32 16 KL4 truncate KIi,j,2 KIi,j,1 S9 KOi,3

Zero-extend KIi,3 FIi3 FO5 S7 KIi,2 FIi2 FL4 KL5 Zero-extend KOi,2 KO3 , KI3 KO4, KI4 FL5 S9 KIi,1

FIi1 7 KL2 FO3 FO4 16 9 KOi,1 FL2 KL3 16 KO5 , KI5 S7 truncate FO6

FL7 KO6 , KI6 KL7 KL6 FL6 FO7 KO8 , KI8 FO8 Fig. 2 : FO Function KO7 , KI7 Fig. 3 : FI Function 32 16 KLi,1 KL8 FL8

<<< L8 R8 16 <<< KLi,2 Fig. 4 : FL Function C Fig. 1 : KASUMI KLii, KOii , KIii : subkeys used at ith round S7, S9: S-boxes Bitwise AND operation <<< Bitwise OR operation One bit left rotation 10 1 SKIP- Signaling integrity protection


Receiver (Radio Network Controller or MS) FRESH FRESH==random randominput input 10 2 SKIP- Protocols LEAP, EAP-TLS, PEAP, EAP-SIM LEAP (Light EAP) developed by Cisco similar to MS-CHAP extended with session key transport EAP-TLS (TLS over EAP)

only the TLS Handshake Protocol is used server and client authentication, generation of master secret TLS maser secret becomes the session key mandated by WPA, optional in RSN PEAP (Protected EAP) phase 1: TLS Handshake without client authentication phase 2: client authentication protected by the secure channel established in phase 1 EAP-SIM extended GSM authentication in WiFi context protocol (simplified) : STA AP: EAP res ID ( IMSI / pseudonym ) STA AP: EAP res ( nonce ) AP: [gets two auth triplets from the mobile operators AuC] AP STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc ) STA AP: EAP res ( 2*SRES ) AP STA: EAP success 103

Recently Viewed Presentations

  • Finite Element Analysis Using Abaqus Instructor: Nam-Ho Kim

    Finite Element Analysis Using Abaqus Instructor: Nam-Ho Kim

    Methods of Analysis in ABAQUS. Interactive mode. Create an FE model and analysis using GUI. Advantage: Automatic discretization and no need to remember commands. Disadvantage: No automatic procedures for changing model or parameters. Python script. All GUI user actions will...
  • Project Overview and Breakdown of Staging/Contracts

    Project Overview and Breakdown of Staging/Contracts

    Stage 4 Stage 4 includes the construction of the new Stearns Road corridor from McLean Boulevard to IL 25, including a new Stearns/IL 25 intersection, IL 25/Gilbert intersection, widening of IL 25 Bridge over Brewster Creek and the construction of...
  • Mary E. Johnson, PhD Assistant Department Head Research/Associate

    Mary E. Johnson, PhD Assistant Department Head Research/Associate

    Opportunity for Career Advancement, Level of Anticipated Income, Potential Job Benefits, Opportunity to Balance Professional/ Family Life, Opportunity to Obtain a Position of Leadership, and Love of Aviation. Dekiyra L. Love, M.S. Department of Aviation Technology Purdue University. METHODOLOGY
  • Pressure-Temperature Relationships in Gases Joseph Gay-Lussac (1778-1850)  1802

    Pressure-Temperature Relationships in Gases Joseph Gay-Lussac (1778-1850) 1802

    Using the Combined Gas Law. Example 1. A balloon rises into the atmosphere to an altitude of 3 000 m (10 000 feet). The balloon was filled to a volume of 2.0 L on a warm summer day when the...

    3. Explain, phenomenalism with an example. How might these ideas affect beliefs about . life after death? Focus … What did Descartes, Kant and Plato say about the relationship between body and soul? Animated sun. with spinning text (Intermediate) To...
  • Factors of Production

    Factors of Production

    Competitive vs. Market Power Firms Competitive vs Market Power Competitive Firm vs. Monopsony A competitive firm Price = MR Hire labor where MRPL = wage rate (MFC) They are "wage takers" MRP = MR * MP & (since P =...
  • The Aweso me Aztecs The Rise of the

    The Aweso me Aztecs The Rise of the

    The Awesome Aztecs The Rise of the Aztec Empire The Aztecs were a small group of people who migrated into the Valley of Mexico from the north, establishing Tenochtitlán as their capital around 1400 B.C. Introduction The Aztec tribe lived...
  • Learning Energy-Based Models of High-Dimensional Data

    Learning Energy-Based Models of High-Dimensional Data

    from his textbook: "Pattern Recognition and Machine Learning" A commonsense way to use limited computational resources First train a model on all of the data Lets assume it get the great majority of the cases right. Then train another model...