Network and Internet SecurityWIRELESS NETWORK SECURITY

Wireless Network Security IEEE 802.11 is a standard for wireless LANs. Interoperable standards compliant implementations are referred to as Wi-Fi

IEEE 802.11i specifies security standards for IEEE 802.11 LANs, including authentication, data integrity, data confidentiality, and key management. Interoperable implementations are also referred to as Wi-Fi Protected Access (WPA)

The Wireless Application Protocol (WAP) is a standard to provide mobile users of wireless phones and other wireless terminals access to telephony and information services, including the Internet and the Web

WAP security is primarily provided by the Wireless Transport Layer Security (WTLS), which provides security services between the mobile device and the WAP gateway to the Internet

There are several approaches to WAP end-to-end security. One notable

approach assumes that the mobile device implements TLS over TCP/IP and the wireless network supports transfer of IP packets

IEEE 802.11 IEEE 802 is a committee that has developed standards for a wide range of local area networks (LANs)

A new working group was formed IEEE 802.11, with a charter to develop a protocol and transmission specifications for wireless LANs (WLANs).

Wireless Ethernet Compatibility Alliance (WECA) later renamed as Wi-Fi (Wireless Fidelity) Alliance certifies interoperability for 802.11b products

◦ The Wi-Fi Alliance is concerned with a range of market areas for WLANs, including enterprise, home, and hot spots

◦ the Wi-Fi Alliance has developed certification procedures for IEEE 802.11 security standards, referred to as Wi-Fi Protected Access (WPA)

◦ The most recent version of WPA, known as WPA2, incorporates all of the features of the IEEE 802.11i WLAN security specification

IEEE 802.11 Protocol Stack Physical Layer

◦ Includes such functions as encoding/decoding of signals and bit transmission/reception

◦ Includes a specification of the transmission medium◦ Defines frequency bands and antenna characteristics

Medium Access Control◦ On transmission, assemble data into a frame, known

as a MAC protocol data unit (MPDU) with address and error-detection fields.

◦ On reception, disassemble frame, and perform address recognition and error detection

◦ Govern access to the LAN transmission medium

IEEE 802.11 Protocol Stack

Logical Link Control◦ Responsible not only for detecting errors using the CRC◦ Recovering errors by retransmitting damaged frames

IEEE 802.11 Extended Service Set

IEEE 208.11 Services Distribution of message within DS

◦ Distribution◦ Integration

Association related services◦ Association◦ Reassociation◦ Diassociation

IEEE 208.11i Wireless LAN Security

Characteristics of wired LAN that are not inherent in a wireless LAN◦ To transmit over a wired LAN, a station must be physically connected to the LAN. With a wireless LAN,

any station within radio range of the other devices on the LAN can transmit [Authentication]◦ In order to receive a transmission from a station that is part of a wired LAN, the receiving station also

must be attached to the wired LAN [privacy]

The original 802.11 specification included a set of security features for privacy an authentication that were quite weak

For privacy, 802.11 defined the Wired Equivalent Privacy (WEP) algorithm

The Wi-Fi Alliance promulgated Wi-Fi Protected Access (WPA) as a Wi-Fi standard

The final form of the 802.11i standard is referred to as Robust Security Network (RSN)

IEEE 802.11i Services Authentication: A protocol is used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys to be used between the client and the AP over the wireless link

Access control: This function enforces the use of the authentication function, routes the messages properly, and facilitates key exchange. It can work with a variety of authentication protocols.

Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are encrypted along with a message integrity code that ensures that the data have not been altered.

IEEE 802.11i Phases of Operation

Two wireless stations in the same BSS communicating via the access point (AP) for that BSS.

Two wireless stations (STAs) in the same ad hoc IBSS communicating directly with each other.

Two wireless stations in different BSSs communicating via their respective APs across a distribution system.

A wireless station communicating with an end station on a wired network via its AP and the distribution system.

IEEE 802.11i Phases of Operation

Wireless Application Protocol (WAP)

A universal, open standard developed by the WAP Forum to provide mobile users of wireless phones and other wireless terminals

WAP is designed to work with all wireless network technologies (e.g., GSM,CDMA and TDMA)

WAP is based on existing Internet standards, such as IP, XML, HTML and HTTP

The WAP specification◦ A programming model based on the WWW Programming Model◦ A markup language, the Wireless Markup Language, adhering to XML◦ A specification of a small browser suitable for a mobile, wireless terminal◦ A lightweight communications protocol stack◦ A framework for wireless telephony applications (WTAs)

WAP Insfrustucture

Wireless Transport Layer Security

Provides security services between the mobile device (client) and the WAP gateway

Based on the industry-standard Transport Layer Security (TLS) Protocol, which is a refinement of the Secure Sockets Layer (SSL) protocol

To provide end-to end security◦ WTLS is used between the client and the gateway◦ TLS is used between the gateway and the target server

WAP systems translate between WTLS and TLS within the WAP gateway

Wireless Transport Layer Security

WTLS provides the following features◦ Data integrity: Uses message authentication to ensure that data sent between the client and the

gateway are not modified.◦ Privacy: Uses encryption to ensure that the data cannot be read by a third party.◦ Authentication: Uses digital certificates to authenticate the two parties.◦ Denial-of-service protection: Detects and rejects messages that are replayed or not successfully

verified.

Wireless Transport Layer Security

WTLS Sessions and Connections◦ Secure connection:

◦ A connection is a transport (in the OSI layering model definition) that provides a suitable type of service◦ For SSL, such connections are peer-to-peer relationships◦ The connections are transient◦ Every connection is associated with one session

◦ Secure Session◦ An SSL session is an association between a client and a server◦ Sessions are created by the Handshake Protocol◦ Sessions define a set of cryptographic security parameters, which can be shared among multiple connections◦ Sessions are used to avoid the expensive negotiation of new security parameters for each connection

Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections.

◦ In theory, there may also be multiple simultaneous sessions between parties, but this feature is not used in practice.

Wireless Markup Language Text and image support:

◦ Formatting and layout commands are provided for text and limited image capability.

Deck/card organizational metaphor: ◦ A card specifies one or more units of interaction (a menu, a screen of text, or a text-entry field). ◦ A WML deck is similar to an HTML page in that it is identified by a Web address (URL) and is the unit of

content transmission

Support for navigation among cards and deck◦ WML includes provisions for event handling, which is used for navigation or executing scripts

Reference books Cryptography and Network Security Principles and Practices

◦ William Stallings

Network Security PRIVATE Communication in a PUBLIC World◦ Chalie Kaufman, Radia Perlman, Mike Speciner