network and internet security wireless network security
TRANSCRIPT
Network and Internet SecurityWIRELESS NETWORK SECURITY
Wireless Network Security IEEE 802.11 is a standard for wireless LANs. Interoperable standards compliant implementations are referred to as Wi-Fi
IEEE 802.11i specifies security standards for IEEE 802.11 LANs, including authentication, data integrity, data confidentiality, and key management. Interoperable implementations are also referred to as Wi-Fi Protected Access (WPA)
The Wireless Application Protocol (WAP) is a standard to provide mobile users of wireless phones and other wireless terminals access to telephony and information services, including the Internet and the Web
WAP security is primarily provided by the Wireless Transport Layer Security (WTLS), which provides security services between the mobile device and the WAP gateway to the Internet
There are several approaches to WAP end-to-end security. One notable
approach assumes that the mobile device implements TLS over TCP/IP and the wireless network supports transfer of IP packets
IEEE 802.11 IEEE 802 is a committee that has developed standards for a wide range of local area networks (LANs)
A new working group was formed IEEE 802.11, with a charter to develop a protocol and transmission specifications for wireless LANs (WLANs).
Wireless Ethernet Compatibility Alliance (WECA) later renamed as Wi-Fi (Wireless Fidelity) Alliance certifies interoperability for 802.11b products
◦ The Wi-Fi Alliance is concerned with a range of market areas for WLANs, including enterprise, home, and hot spots
◦ the Wi-Fi Alliance has developed certification procedures for IEEE 802.11 security standards, referred to as Wi-Fi Protected Access (WPA)
◦ The most recent version of WPA, known as WPA2, incorporates all of the features of the IEEE 802.11i WLAN security specification
IEEE 802.11 Protocol Stack Physical Layer
◦ Includes such functions as encoding/decoding of signals and bit transmission/reception
◦ Includes a specification of the transmission medium◦ Defines frequency bands and antenna characteristics
Medium Access Control◦ On transmission, assemble data into a frame, known
as a MAC protocol data unit (MPDU) with address and error-detection fields.
◦ On reception, disassemble frame, and perform address recognition and error detection
◦ Govern access to the LAN transmission medium
IEEE 802.11 Protocol Stack
Logical Link Control◦ Responsible not only for detecting errors using the CRC◦ Recovering errors by retransmitting damaged frames
IEEE 802.11 Extended Service Set
IEEE 208.11 Services Distribution of message within DS
◦ Distribution◦ Integration
Association related services◦ Association◦ Reassociation◦ Diassociation
IEEE 208.11i Wireless LAN Security
Characteristics of wired LAN that are not inherent in a wireless LAN◦ To transmit over a wired LAN, a station must be physically connected to the LAN. With a wireless LAN,
any station within radio range of the other devices on the LAN can transmit [Authentication]◦ In order to receive a transmission from a station that is part of a wired LAN, the receiving station also
must be attached to the wired LAN [privacy]
The original 802.11 specification included a set of security features for privacy an authentication that were quite weak
For privacy, 802.11 defined the Wired Equivalent Privacy (WEP) algorithm
The Wi-Fi Alliance promulgated Wi-Fi Protected Access (WPA) as a Wi-Fi standard
The final form of the 802.11i standard is referred to as Robust Security Network (RSN)
IEEE 802.11i Services Authentication: A protocol is used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys to be used between the client and the AP over the wireless link
Access control: This function enforces the use of the authentication function, routes the messages properly, and facilitates key exchange. It can work with a variety of authentication protocols.
Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are encrypted along with a message integrity code that ensures that the data have not been altered.
IEEE 802.11i Phases of Operation
Two wireless stations in the same BSS communicating via the access point (AP) for that BSS.
Two wireless stations (STAs) in the same ad hoc IBSS communicating directly with each other.
Two wireless stations in different BSSs communicating via their respective APs across a distribution system.
A wireless station communicating with an end station on a wired network via its AP and the distribution system.
IEEE 802.11i Phases of Operation
Wireless Application Protocol (WAP)
A universal, open standard developed by the WAP Forum to provide mobile users of wireless phones and other wireless terminals
WAP is designed to work with all wireless network technologies (e.g., GSM,CDMA and TDMA)
WAP is based on existing Internet standards, such as IP, XML, HTML and HTTP
The WAP specification◦ A programming model based on the WWW Programming Model◦ A markup language, the Wireless Markup Language, adhering to XML◦ A specification of a small browser suitable for a mobile, wireless terminal◦ A lightweight communications protocol stack◦ A framework for wireless telephony applications (WTAs)
WAP Insfrustucture
Wireless Transport Layer Security
Provides security services between the mobile device (client) and the WAP gateway
Based on the industry-standard Transport Layer Security (TLS) Protocol, which is a refinement of the Secure Sockets Layer (SSL) protocol
To provide end-to end security◦ WTLS is used between the client and the gateway◦ TLS is used between the gateway and the target server
WAP systems translate between WTLS and TLS within the WAP gateway
Wireless Transport Layer Security
WTLS provides the following features◦ Data integrity: Uses message authentication to ensure that data sent between the client and the
gateway are not modified.◦ Privacy: Uses encryption to ensure that the data cannot be read by a third party.◦ Authentication: Uses digital certificates to authenticate the two parties.◦ Denial-of-service protection: Detects and rejects messages that are replayed or not successfully
verified.
Wireless Transport Layer Security
WTLS Sessions and Connections◦ Secure connection:
◦ A connection is a transport (in the OSI layering model definition) that provides a suitable type of service◦ For SSL, such connections are peer-to-peer relationships◦ The connections are transient◦ Every connection is associated with one session
◦ Secure Session◦ An SSL session is an association between a client and a server◦ Sessions are created by the Handshake Protocol◦ Sessions define a set of cryptographic security parameters, which can be shared among multiple connections◦ Sessions are used to avoid the expensive negotiation of new security parameters for each connection
Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections.
◦ In theory, there may also be multiple simultaneous sessions between parties, but this feature is not used in practice.
Wireless Markup Language Text and image support:
◦ Formatting and layout commands are provided for text and limited image capability.
Deck/card organizational metaphor: ◦ A card specifies one or more units of interaction (a menu, a screen of text, or a text-entry field). ◦ A WML deck is similar to an HTML page in that it is identified by a Web address (URL) and is the unit of
content transmission
Support for navigation among cards and deck◦ WML includes provisions for event handling, which is used for navigation or executing scripts
Reference books Cryptography and Network Security Principles and Practices
◦ William Stallings
Network Security PRIVATE Communication in a PUBLIC World◦ Chalie Kaufman, Radia Perlman, Mike Speciner