mac layer security
DESCRIPTION
MAC Layer Security . Outline. MAC Basics MAC Layer Security in Wired Networks MAC Layer Security in Wireless Networks. Multiple Access Links and Protocols. Three types of “ links ” : Point -to-point (single wire, e.g. PPP, SLIP) - PowerPoint PPT PresentationTRANSCRIPT
MAC Layer Security
1
Outline
2
MAC Basics MAC Layer Security in Wired Networks MAC Layer Security in Wireless Networks
3
Multiple Access Links and Protocols
Three types of “links”: Point-to-point (single wire, e.g. PPP, SLIP) Broadcast (shared wire or medium; e.g, Ethernet,
Wavelan, etc.)
Switched (e.g., switched Ethernet, ATM etc)
4
Multiple Access protocols Single shared communication channel Two or more simultaneous transmissions by nodes: interference
Only one node can send successfully at a time Multiple access protocol:
Distributed algorithm that determines how stations share channel, i.e., determine when station can transmit
Communication about channel sharing must use channel itself! What to look for in multiple access protocols:
• Synchronous or asynchronous • Information needed about other stations • Robustness (e.g., to channel errors) • Performance
5
MAC Protocols: a taxonomy
Three broad classes: Channel Partitioning
TDMA: time division multiple access FDMA: frequency division multiple access CDMA (Code Division Multiple Access) Read!
Random Access Allow collisions “Recover” from collisions
“Taking turns” Tightly coordinate shared access to avoid collisions
Goal: efficient, fair, simple, decentralized
6
Random Access protocols
When node has packet to send Transmit at full channel data rate R. No a priori coordination among nodes
Two or more transmitting nodes -> “collision”, Random access MAC protocol specifies:
How to detect collisions How to recover from collisions (e.g., via delayed retransmissions)
Examples of random access MAC protocols: Slotted ALOHA and ALOHA CSMA and CSMA/CD
7
CSMA: Carrier Sense Multiple Access)
CSMA: listen before transmit: If channel sensed idle: transmit entire pkt If channel sensed busy, defer transmission
Persistent CSMA: retry immediately with probability p when channel becomes idle (may cause instability)
Non-persistent CSMA: retry after random interval Human analogy: don’t interrupt others!
8
CSMA collisions
Collisions can occur:Propagation delay means two nodes may not yearhear each other’s transmission
Collision:Entire packet transmission time wasted
Spatial layout of nodes along Ethernet
Note:Role of distance and propagation delay in determining collision prob.
9
CSMA/CD (Collision Detection)
CSMA/CD: Carrier sensing, deferral as in CSMA Collisions detected within short time Colliding transmissions aborted, reducing channel wastage Persistent or non-persistent retransmission
Collision detection: Easy in wired LANs: measure signal strengths, compare
transmitted, received signals Difficult in wireless LANs: receiver shut off while
transmitting Human analogy: Polite conversationalist
10
CSMA/CD collision detection
11
“Taking Turns” MAC protocols
Channel partitioning MAC protocols: Share channel efficiently at high load Inefficient at low load: delay in channel access, 1/N
bandwidth allocated even if only 1 active node! Random access MAC protocols
Efficient at low load: single node can fully utilize channel
High load: collision overhead“Taking turns” protocols
Look for best of both worlds!
12
“Taking Turns” MAC protocols
Polling: Master node “invites”
slave nodes to transmit in turn
Request to Send, Clear to Send msgs
Concerns: Polling overhead Latency Single point of failure
(master)
Token passing: Control token passed from one
node to next sequentially. Token message Toncerns:
token overhead latency single point of failure (token)
13
Summary of MAC protocols
What do you do with a shared media? Channel Partitioning, by time, frequency or code
• Time Division,Code Division, Frequency Division Random partitioning (dynamic),
• ALOHA, S-ALOHA, CSMA, CSMA/CD• Carrier sensing: easy in some technologies (wire), hard in
others (wireless)• CSMA/CD used in Ethernet
Taking Turns• Polling from a central cite, token passing
14
LAN Addresses and ARP
32-bit IP address: Network-layer address Used to get datagram to destination network (recall IP
network definition)LAN (or MAC or physical) address: Used to get datagram from one interface to another
physically-connected interface (same network) 48 bit MAC address (for most LANs)
burned in the adapter ROM
15
LAN Addresses and ARPEach adapter on LAN has unique LAN address
16
LAN Address (more)
MAC address allocation administered by IEEE Manufacturer buys portion of MAC address space (to
assure uniqueness) Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address MAC flat address portability ⟹
Can move LAN card from one LAN to another IP hierarchical address NOT portable
Depends on network to which one attaches
17
Recall earlier routing discussion
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2223.1.3.1
223.1.3.27
A
BE
Starting at A, given IP datagram addressed to B:
Look up net. address of B, find B on same net. as A
Link layer send datagram to B inside link-layer frame
B’s MACaddr
A’s MACaddr
A’s IPaddr
B’s IPaddr IP payload
DatagramFrame
Frame source,dest address
Datagram source,dest address
18
ARP: Address Resolution Protocol
Each IP node (Host, Router) on LAN has ARP module, table
ARP Table: IP/MAC address mappings for some LAN nodes
< IP address; MAC address; TTL> < ………………………….. >
TTL (Time To Live): Time after which address mapping will be forgotten (typically 20 min)
Question: how to determineMAC address of Bgiven B’s IP address?
19
ARP protocol A knows B's IP address, wants to learn physical address of
B A broadcasts ARP query pkt, containing B's IP address
All machines on LAN receive ARP query B receives ARP packet, replies to A with its (B's) physical
layer address A caches (saves) IP-to-physical address pairs until
information becomes old (times out) Soft state: information that times out (goes away)
unless refreshed
20
Routing to another LAN
Walkthrough: routing from A to B via R
In routing table at source Host, find router 111.111.111.110 In ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc
A
RB
21
A creates IP packet with source A, destination B A uses ARP to get R’s physical layer address for 111.111.111.110 A creates Ethernet frame with R's physical address as dest, Ethernet
frame contains A-to-B IP datagram A’s data link layer sends Ethernet frame R’s data link layer receives Ethernet frame R removes IP datagram from Ethernet frame, sees its destined to B R uses ARP to get B’s physical layer address R creates frame containing A-to-B IP datagram sends to B
A
RB
22
Ethernet“Dominant” LAN technology: Cheap: $20 for 100Mbps! First widely used LAN technology Simpler, cheaper than token LANs and ATM Kept up with speed race: 10, 100, 1000 Mbps
Metcalfe’s Ethernetsketch
23
Ethernet Frame StructureSending adapter encapsulates IP datagram (or other network
layer protocol packet) in Ethernet frame
Preamble: 7 bytes with pattern 10101010 followed by one byte with
pattern 10101011 Used to synchronize receiver, sender clock rates
24
Ethernet Frame Structure (more)
Addresses: 6 bytes, frame is received by all adapters on a LAN and dropped if address does not match
Type: Indicates the higher layer protocol, mostly IP but others may be supported such as Novell IPX and AppleTalk)
CRC: Checked at receiver, if error is detected, the frame is simply dropped
25
Ethernet: uses CSMA/CDA: sense channel, if idle
then { transmit and monitor the channel;
If detect another transmission then { abort and send jam signal;
update # collisions; delay as required by exponential backoff algorithm; goto A}
else {done with the frame; set collisions to zero}}
else {wait until ongoing transmission is over and goto A}
26
Ethernet’s CSMA/CD (more)
Jam Signal: make sure all other transmitters are aware of collision; 48 bits;
Exponential Backoff: Goal: adapt retransmission attempts to estimated current
load heavy load: random wait will be longer
First collision: choose K from {0,1}; delay is K x 512 bit transmission times
After second collision: choose K from {0,1,2,3}… After ten or more collisions, choose K from {0,1,2,3,4,
…,1023}
Outline
27
MAC Basics MAC Layer Security in Wired Networks MAC Layer Security in Wireless Networks
MAC Flooding Attack
Problem: attacker can cause learning table to fillo Generate many packets to varied (perhaps nonexistent) MAC
addresses This harms efficiency
o Effectively transforms switch into hubo Wastes bandwidth, end host CPU
This harms privacyo Attacker can eavesdrop by preventing switch from learning
destination of a flowo Causes flow’s packet to be flooded throughout LAN
DHCP can be flooded with bogus IP “address accepted by host” responses, deny IP connectivity to devices
28
MAC Spoofing Attack
Host pretends to own the MAC address of another hosto Easy to do: most Ethernet adapters allow their
address to be modifiedo Powerful: can immediately cause complete DoS to
spoofed host– All learning table entries switch to point to the attacker– All traffic redirected to attacker– Can enable attacker to evade ACLs set based on MAC
information
29
30
ARP Spoofing Attack
• Attacker sends fake unsolicited ARP replies– Attacker can intercept forward-path traffic– Can intercept reverse-path traffic by repeating attack for source– Gratuitious ARPs make this easy– Only works within same subnet/VLAN
Host A 10.0.0.1 MAC: 0000:9f1e
Attacker 10.0.0.6 MAC:
0000:7ee5
Host B10.0.0.3MAC:
0000:ccab
Gratuitious ARP: “My MAC is 0000:7ee5 and I have IP address 10.0.0.3”
10.0.0.3 0000:7ee5
IPMAC
Source: M. Caesar (UIUC)
31
Counte rmeasures to ARP Spoofing
Ignore Gratuitious ARPo Problems: gratuitious ARP is useful, doesn’t
completely solve the problem Dynamic ARP Inspection (DAI)
o Switches record <IP,MAC> mappings learned from DHCP messages, drop all mismatching ARP replies
Intrusion detection systems (IDS)o Monitor all <IP,MAC> mappings, signal alarms
Can also partition Ethernet networks into “virtual” LANs that are disjoint from each other Source: M. Caesar (UIUC)
Outline
32
MAC Basics MAC Layer Security in Wired Networks MAC Layer Security in Wireless Networks
WEP Design Goals
Symmetric key crypto Confidentiality End host authorization Data integrity
Self-synchronizing: each packet separately encrypted Given encrypted packet and key, can decrypt; can continue
to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers)
Efficient Implementable in hardware or software
33
Review: Symmetric Stream Ciphers
Combine each byte of keystream with byte of plaintext to get ciphertext: m(i) = i-th unit of message ks(i) = i-th unit of keystream c(i) = i-th unit of ciphertext c(i) = ks(i) m(i) ( = exclusive or) m(i) = ks(i) c(i)
WEP uses RC4
keystreamgeneratorkey keystream
34
Stream Cipher and Packet Independence
Recall design goal: each packet separately encrypted If for frame n+1, use keystream from where we left off for
frame n, then each frame is not separately encrypted Need to know where we left off for packet n
WEP approach: initialize keystream with key + new IV for each packet:
keystreamgeneratorKey+IVpacket keystreampacket
35
WEP Encryption (1) Sender calculates Integrity Check Value (ICV) over data
Four-byte hash/CRC for data integrity Each side has 104-bit shared key Sender creates 24-bit initialization vector (IV), appends to key: gives
128-bit key Sender also appends keyID (in 8-bit field) 128-bit key inputted into pseudo random number generator to get
keystream Data in frame + ICV is encrypted with RC4:
B\bytes of keystream are XORed with bytes of data & ICV IV & keyID are appended to encrypted data to create payload Payload inserted into 802.11 frame
encrypted
data ICVIV
MAC payload
KeyID
36
WEP Encryption (2)
IV (per frame)
KS: 104-bit secret
symmetric key k1
IV k2IV k3
IV … kNIV kN+1
IV… kN+1IV
d1 d2 d3 … dN
CRC1 … CRC4
c1 c2 c3 … cN
cN+1 … cN+4
plaintext frame data
plus CRC
key sequence generator ( for given KS, IV)
802.11 header IV
&
WEP-encrypted data plus ICV
Figure 7.8-new1: 802.11 WEP protocol New IV for each frame
37
WEP decryption overview
Receiver extracts IV Inputs IV, shared secret key into pseudo random generator,
gets keystream XORs keystream with encrypted data to decrypt data + ICV Verifies integrity of data with ICV
Note: Message integrity approach used here is different from MAC (message authentication code) and signatures (using PKI).
encrypted
data ICVIV
MAC payload
KeyID
38
End-Point Authentication w/ Nonce
Nonce: Number (R) used only once –in-a-lifetimeHow to prove Alice “live”: Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice”
R
K (R)A-BAlice is live, and only Alice knows key to encrypt nonce, so it must be Alice!
39
WEP Authentication
authentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
Notes: Not all APs do it, even if WEP is being used AP indicates if authentication is necessary in beacon frame Done before association
40
Breaking 802.11 WEP EncryptionSecurity hole: 24-bit IV, one IV per frame IVs eventually reused⟹ IV transmitted in plaintext IV reuse detected⟹Attack:
Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … Trudy sees: ci = di XOR ki
IV
Trudy knows ci di, so can compute kiIV
Trudy knows encrypting key sequence k1IV k2
IV k3IV …
Next time IV is used, Trudy can decrypt!
41
802.11i: Improved Security
Numerous (stronger) forms of encryption possible Provides key distribution Uses authentication server separate from access
point
42
43
WPA: WiFi Protected Access
“Snapshot of 802.11i” developed Oct. 2002 to fix WEP flaws
Short-term solution: patch WEP using same hardware Temporal Key Integrity Protocol (TKIP) generates per-
packet keys Keys have short lifetime; continuously “refreshed” TKIP includes Message Authentication Code for data
integrity
44
WPA2: A Long-Term Solution
WPA2 provides confidentiality, data integrity, protection against replay attacks Uses AES in counter mode with cipher block chaining
(CBC) and message authentication code (MAC) with a different key
This is the Counter mode/CBC-MAC Protocol (CCMP) Both WPA and WPA2 use 802.11i authentication
mechanisms, described next
802.11i: Four Phases of OperationAP: access point
AS:Authentication server
wirednetwork
STA:client station
1 Discovery ofsecurity capabilities
STA and AS mutually authenticate, togethergenerate Master Key (MK). AP serves as “pass through”
2
33 STA derives
Pairwise Master Key (PMK)
AS derivessame PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity 45
EAP: Extensible Authentication Protocol EAP: end-end client (mobile) to authentication server
protocol EAP sent over separate “links”
Mobile-to-AP (EAP over LAN) AP to authentication server (RADIUS over UDP)
EAP TLSEAP
EAP over LAN (EAPoL) IEEE 802.11
RADIUSUDP/IP
wirednetwork
46
Simple Messages in Networking Systems
The messages that are short, unencrypted and used for controlling
Examples SYN message in TCP Keep alive message in BGP RTS/CTS/null data frames in 802.11 WLANs
47
Null Data Frames in 802.11 WLANs
A special type of data frame that contains no data Widely used for power management, channel scanning
and association keeping alive Security vulnerabilities of null data frames in 802.11
WLANs Functionality based Denial-of-Service attack Implementation based fingerprinting attack
48
Null Data Frame Format
Frame body part is empty
0: sleep/awake awake1: awake sleep
Indicates whether frame body is encrypted
49
beacon interval
time
access point
station
=1 =1 =0 =0beacon
data
TIM = 0
awake => sleep
Power Management in 802.11 WLANs
50
Security Vulnerability
The attacker can spoof the identity of a sleeping station, and steal its buffered data frames
Null data frame is short Allows efficient fake frame generation
Null data frame is unencrypted Allows fake frame generation
51
beacon interval
time
access point
victim station
=0 =0 =0 =0
attacker
beacon
null data (awake)
dataTIM = 0
awake => sleep
Illustration of Functionality based Denial-of-Service Attack
52
Salient Features of the Attack
Easy to implement Short frame without encryption
Hard to detect in real time MAC address and sequence number are changeable
Little communication overhead Not require frame flooding
53
54
802.11 WLAN Issues (1)
No protection in open-access WLANs Consequences:
Passive eavesdropping Traffic analysis Message injection Masquerading Malicious AP Session hijacking Man-in-the-middle Denial-of-service Etc.
802.11 WLAN Issues (2)Weak Protection of WPA-PSK
Except pairwise master key (PMK), all the information needed to generate pairwise transit key (PTK) can be obtained from the first two unprotect messages in four-way handshake
Vulnerability of WPA-PSK to insider (Insider attacks) Vulnerability of WPA-PSK with a weak key (Dictionary attacks)
Consequences Encryption key is disclosed After getting the key, any attacks on open systems are possible
Null Data Frame Authentication
Basic Idea Encryption of link layer frames needs an encryption key How to set up this key?
Replace “open system authentication” (OSA ) algorithm with “dummy authentication key-establishment” algorithm to set up a session key
Why is the algorithm called dummy authentication? It occupies the position of an authentication algorithm in 802.11 medium
access control protocols It does not perform real authentication. It only sets up a cryptographic key
Patch: Open System Authentication
The key-point to patch the 802.11 MAC protocol is: “open system authentication” (OSA ) algorithm, since there is no real authentication in this step. It’s just a place holder
STA APOpen system
authentication request
Open system authentication response
Dummy Authentication Key-Establishment Alg.
STA AP
Dummy authentication request
Generate a rnd and a psk
verify ticket, recover psk
Resulting Conversations of Robust Security Network Association
1.Network & security discovery
2. Open system authentication
3.Association
5. Four-way handshake
7. Secure data communication
STA AP STA
1. Network & security discovery
2. Dummy authentication
3. Association
5. Four-way handshake
7. Secure data communication
AP
b. WPA-PSK systemc. Open / WPA-PSK
system with Dummy Auth
1.Network & security discovery
2. Open system authentication
3.Association
4. Unsecured data communication
STA AP
a. open system
6. group key handshake 6. group key handshake
Now
beforebefore
Derivation of a New Pairwise Master Key Utilize the existing algorithms/protocols to protect data frames with a new
PMK
Where the right part is the original PMK in WPA-PSK, csk is the common session key derived from dummy authentication. If it is used in open access network, set passphrase=“open system”
Provide protections (encryption) to open system Prevent insider’s eavesdropping and dictionary attacks on WPA-PSK No need to modify the existing MAC protocols for data frame protection
256,4096,,,2: SSIDlengthSSIDpassphrasePBKDFcskPMK
Null Data Frame Protection
Need to modify MAC protocol by changing frame formatframe := (MAC Header, null, pArgs,Htk(“last timestamp”,
pArgs),FCS) Compare to original frame format, a MIC code is added
The timestamp in the previous beacon is treated as filed plaintext data, even though it is not in the resulting frame
MIC is different for each frame because of the changing timestamp and increased sequence number TCS or PN. This makes forging and replaying the null data frames useless
Discussions (1)STA AP
Dummy authentication response
ticket + rnd + Epk(rnd || psk)
Compute session key
Compute session key
Dummy authentication request
Status code + ticket
Public key request
AP’s certificate, timestamp
STA AP
b. 4-way dummy authentication
a. Public-Key transfer procedure
Discussions (2)
Public key request
AP’s certificate, timestamp
STA AP STA AP
Dummy authentication request
Status code + ticket
Compute session key
Compute session key
Association request with ticket + rnd + Epk(rnd || psk)
Assiocation response
STA AP
c. 2-way dummy authentication with
modified association
a. Public-Key transfer procedure
64
Final Remarks
MAC protocols control access to physical network resources for multiple clients (wired and wireless)
Protocols not designed with security in mind Spoofing, flooding attacks possible against
Ethernet, 802.11 networks 802.11 wireless security has improved
considerably from WEP, but it is still not perfect Devices can be fingerprinted based on MAC layer
characteristics
Thank You
Questions & comments?
65
AcknowledgmentsThis material is partially based on:
Matthew Caesar’s slides on IP/Ethernet Security:http://www.cs.illinois.edu/%7Ecaesar/courses/CS598.S13/slides/lec_03_Ethernet.pdf
Slides for J.F. Kurose and K.W. Ross textbook
Georg Carle’s slides on Link-Layer Security:http://www.net.in.tum.de/fileadmin/TUM/teaching/netzsicherheit/ws1011/06_LinkLayerSecurity_1up.pdf
Zhimin Yang, Boxuan Gu, Adam Champion, Xiaole Bai and Dong Xuan, Link-Layer Protection in 802.11i WLANs with Dummy Authentication, in Proc. of ACM Conference on Wireless Network Security (WiSec), March 2009 (short paper). 66