Chapter 06 Wireless Network Security 1 Outline

Скачать презентацию Chapter 06 Wireless Network Security 1 Outline

3906da6a29c344a03d148b1a781eb473.ppt

Количество слайдов: 46

Chapter 06 Wireless Network Security 1

Outline q. Introduction q. Thwarting malicious behavior q 802. 11 Wireless Network Security 2

6. 1 Introduction 3

The Internet : something went wrong Network deployment Observation of new misdeeds (malicious or selfish) Install security patches (anti-virus, anti-spam, anti-spyware, anti-phishing, firewalls, …) “The Internet is Broken” MIT Technology Review, Dec. 2005 – Jan. 2006 NSF FIND, GENI, etc. 4

Where is this going ? MIT Technology Review, Dec. 2005 – Jan. 2006 The Economist, April 28, 2007 What if tomorrow’s wireless networks are even more unsafe than today’s Internet 5?

Wireless networks are rapidly becoming pervasive. • How many of you have web-enabled cell phones? • How many of you have networked PDAs and Pocket PCs? • How many of you have laptops with wireless network cards? • How many of you have wireless networks at work? at home? • How many of you use wireless networks when you are out and about? 6

Of those of you who have wireless devices, how many of you: • protect your wireless device with a password? • encrypt the data in your wireless device? • employ any type of security with your wireless device? • employ security with your wireless network? 7

Upcoming wireless networks • New kinds of networks – Personal communications • • • Small operators, community networks Cellular operators in shared spectrum Mesh networks Hybrid ad hoc networks (also called “Multi-hop cellular networks”) “Autonomous” ad hoc networks Personal area networks – Vehicular networks – Sensor and RFID networks – … • New wireless communication technologies – – – Cognitive radios MIMO Ultra Wide Band Directional antennas … 8

Community networks Example: service reciprocation in community networks • A phenomenon of growing relevance, led by FON, http: //en. fon. com/ • FON claims • to have raised a total of more than 30 M$, notably from Google, Skype, and BT • that the number of “Foneros” is around 830’ 000 10

Mesh Networks Transit Access Point (TAP) 11

Mesh Networks: node compromise 12

Mesh Networks: jamming More on mesh networks: • IEEE Wireless Communications, Special Issue on Wireless Mesh Networking, Vol. 13 No 2, April 2006 13

Vehicular networks: why? • Combat the awful side-effects of road traffic – In the EU, around 40’ 000 people die yearly on the roads; more than 1. 5 millions are injured – Traffic jams generate a tremendous waste of time and of fuel • Most of these problems can be solved by providing appropriate information to the driver or to the vehicle 14

Example of attack : Generate “intelligent collisions” SLOW DOWN The way is clear • All carmakers are working on vehicular comm. • Vehicular networks will probably be the largest incarnation of mobile ad hoc networks For more information: http: //ivc. epfl. ch http: //www. sevecom. org 15

Sensor networks Vulnerabilities: • Theft reverse engineered and compromised, replicated • Limited capabilities risk of Do. S attack, restriction on cryptographic primitives to be used • Deployment can be random pre-configuration is difficult • Unattended some sensors can be maliciously moved around 16

RFID • RFID = Radio-Frequency Identification • RFID system elements – RFID tag + RFID reader + back-end database • RFID tag = microchip + RF antenna – microchip stores data (few hundred bits) – Active tags • have their own battery expensive – Passive tags • powered up by the reader’s signal • reflect the RF signal of the reader modulated with stored data RFID tagged object RFID reader reading signal ID ID detailed object information back-end database 17

Trends and challenges in wireless networks • From centralized to distributed to self-organized Security architectures must be redesigned • Increasing programmability of the devices increasing risk of attacks and of greedy behavior • Growing number of tiny, embedded devices Growing vulnerability, new attacks • From single-hopping to multi-hopping Increasing “security distance” between devices and infrastructure, increased temptation for selfish behavior • Miniaturization of devices Limited capabilities • Pervasiveness Growing privacy concerns … Yet, mobility and wireless can facilitate certain security mechanisms 18

Grand Challenge Prevent ubiquitous computing from becoming a pervasive nightmare 19

Reasons to trust organizations and individuals • Moral values } – Culture + education, fear of bad reputation • Experience about a given party – Based on previous interactions • Rule enforcement organization Will lose relevance Scalability challenge – Police or spectrum regulator • Usual behavior – Based on statistical observation Can be misleading • Rule enforcement mechanisms – Prevent malicious behavior (by appropriate security mechanisms) and encourage cooperative behavior 20

Upcoming networks vs. mechanisms y r e ov S Small operators, community networks X Cellular operators in shared spectrum X X Pr iv ac y Rule sc ing s di n r ss enforcement tio re bo a d i g gh ad mechanisms oc Upcoming ei s tin d n s u an ro ya ng wireless i it e ing ur ur ur c m c networks ec Se Na Se g in AC FW ng T i r ai PK urag p. f io g g o o hav. cin c sc dy r r Be for Di ee fo fo En en En gr r. M X X X X X ? X X Mesh networks X X X Hybrid ad hoc networks X X X X Self-organized ad hoc networks X X X ? ? Sensor networks X X X ? RFID networks X ? X Vehicular networks Security X ? ? X ? Cooperation 21

6. 2 Thwarting malice: security mechanisms 2. 1 Naming and addressing 2. 2 Establishment of security associations 2. 3 Secure neighbor discovery 2. 4 Secure routing in multi-hop wireless networks 2. 5 Privacy protection 2. 6 Secure positioning 22

2. 1 Naming and addressing • Typical attacks: – Sybil: the same node has multiple identities – Replication: the attacker captures a node and replicates it several nodes share the same identity • Distributed protection technique in IPv 6: Cryptographically Generated Addresses (T. Aura, 2003; RFC 3972) only a partial solution to the problem Public key Hash function Subnet prefix Interface ID 64 bits For higher security (hash function output beyond 64 bits), hash extension can be used 64 bits IPv 6 address Parno, Perrig, and Gligor. Detection of node replication attacks in sensor networks. IEEE Symposium on Security and Privacy, 2005 23

2. 2 Pairwise key establishment in sensor networks 1. Initialization m (<

Probability for two sensors to have a common key Eschenauer and Gligor, ACM CCS 2002 See also: • Karlof, Sastry, Wagner: Tiny. Sec, Sensys 2004 • Westhoff et al. : On Digital Signatures in Sensor Networks, ETT 2005 25

2. 3 Securing Neighbor Discovery: Thwarting Wormholes • Routing protocols will choose routes that contain wormhole links – typically those routes appear to be shorter – Many of the routes (e. g. , discovered by flooding based routing protocols such as DSR and Ariadne) will go through the wormhole • The adversary can then monitor traffic or drop packets (Do. S) 26

Wormholes are not specific to ad hoc networks access control system: gate equipped with contactless smart card reader contactless smart card wormhole contactless smart card emulator fast connection smart card reader emulator Hu, Perrig, and Johnson Packet leashes: a defense against wormhole attacks in wireless networks INFOCOM 2003 user may be far away from the building 27

2. 4 Secure routing in wireless ad hoc networks Exchange of messages in Dynamic Source Routing (DSR): D B G A E C • F *: *: [req, A, H; [req, A, H; -] B, C, D, E B] A C] A D] A, E, G E] A, D, G, F E, F] E, G, H D, G] D, E, F, H H A: [H, F, E, A; rep; E, F] Routing disruption attacks – – – • H A B C D E F G routing loop black hole / gray hole partition detour wormhole Resource consumption attacks – injecting extra data packets in the network – injecting extra control packets in the network 28

Operation of Ariadne illustrated D B G A C E H F A *: [req, A, H, MACKAH, ()] E *: [req, A, H, h(E|MACKAH), (E), (MACKE, i)] F *: [req, A, H, h(F|h(E|MACKAH)), (E, F), (MACKE, i, MACKF, i)] H F: [rep, H, A, (E, F), (MACKE, i, MACKF, i), MACKHA, ()] F E: [rep, H, A, (E, F), (MACKE, i, MACKF, i), MACKHA, (KF, i)] E A: [rep, H, A, (E, F), (MACKE, i, MACKF, i), MACKHA, (KF, i, KE, i)] 29

Secure route discovery with the Secure Routing Protocol (SRP) QSEQ: Query Sequence Number QID : Query Identifier 30

More on secure routing Hu, Perrig, and Johnson: Ariadne, Sept. 2002, SEAD, Jun. 2002 Sangrizi, Dahill, Levine, Shields, and Royer: ARAN, Nov. 2002 Secure Route Discovery Papadimitratos and Haas: Secure Routing Protocol (SRP), Jan. 2002 Zapata and Asokan: S-AODV, Sept. 2002 All above proposals are difficult to assess G. Ács, L. Buttyán, and I. Vajda: Provably Secure On-demand Source Routing IEEE Transactions on Mobile Computing, Nov. 2006 Secure Data Communication Cross-layer attacks Papadimitratos and Haas: Secure Single Path (SSP) and Secure Multi-path (SMT) protocols, Jul. /Sept. 2003, Feb. 2006 Aad, Hubaux, Knightly: Jellyfish attacks, 2004 31

2. 5 Privacy: the case of RFID • RFID = Radio-Frequency Identification • RFID system elements – RFID tag + RFID reader + back-end database • RFID tag = microchip + RF antenna – microchip stores data (few hundred bits) – Active tags • have their own battery expensive – Passive tags • powered up by the reader’s signal • reflect the RF signal of the reader modulated with stored data RFID tagged object RFID reader reading signal ID ID detailed object information back-end database 32

RFID privacy problems • RFID tags respond to reader’s query automatically, without authenticating the reader clandestine scanning of tags is a plausible threat • Two particular problems: 1. Inventorying: a reader can silently determine what objects a person is carrying • • • books medicaments banknotes underwear … 2. Tracking: set of readers can determine where a given person is located suitcase: Samsonit e watch: Casio jeans: Lee Cooper • tags emit fixed unique identifiers • even if tag response is not unique it is possible to track a set of particular tags Juels A. , RFID Security and Privacy: A Research Survey, IEEE JSAC, Feb. 2006 book: Wireless Security shoes: Nike 33

Who is malicious? Who is selfish? Harm everyone: viruses, … Selective harm: Do. S, … Big brother Spammer Cyber-gangster: phishing attacks, trojan horses, … Greedy operator Selfish mobile station There is no watertight boundary between malice and selfishness Both security and game theory approaches can be useful 35

Conclusion • Upcoming wireless networks bring formidable challenges in terms of security • The proper treatment requires a thorough understanding of upcoming wireless networks, of security 36

6. 3 802. 11 Wireless Network Security 37

■ In this lecture, we shall discuss three standards for securing wireless networks. - WEP (Wired Equivalent Privacy) - WPA (Wireless Protected Access) - WPA 2 ■ Actually, they are a family, called IEEE 802. 11. ■ The corresponding commercial specifications are certified by Wi-Fi Alliance. 38

WEP (Wired Equivalent Privacy) ■ Specified by IEEE Standard 802. 11 a, 1997. ■ Aimed to make wireless as secure as wired networks. ■ Security flaws were identified before the ink was dry. ■ Most serious attacks can recover the WEP key by analysing a few million encrypted packets. ■ In 2005, a group from FBI showed a demo to break a WEP protected wireless network within 3 minutes by using publicly available tools. ■ Open Source utilities: aircrack-ng, weplab, WEPCrack, … 39

How WEP works? ■ WEP uses RC 4 to encrypt each packet M. ■ A WEP key K is shared among AP and all clients. ■ More specifically, the ciphertext C is generated by C=(M||ICV) RC 4(IV||K). ICV: (non-cryptographic) checksum. IV: a per-packet initialization value (3 bytes=24 bits). K: from 5 to 16 bytes. ■ Finally, IV||C is transferred to the receiver. 40

Illustration of WEP: 802. 11 Hdr data || WEP Key Per-Frame Key K || ICV CRC-32 RC 4 Encryption 802. 11 Hdr IV Data ICV 41

Weaknesses in WEP: ■ Key management and key size The same shared secret key is used for both authentication and encryption ■ Authentication Only one-way authentication. That is, AP is not authenticated to the client. ■ Integrity It is possible to modify some bits in a message so that the resulting message still passes the ICV test. 42

■ Confidentiality - WEP RC 4 can be compromised easily by passively analysing several millions of packets. - IV is short, reused, and not encrypted. - RC 4 has some weaknesses. - Technical details can be found in the following paper. A. Stubblefield, J. Ioannidis, and A. D. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. 2001. http: //citeseer. ist. psu. edu/stubblefield 01 using. html 43

WPA (Wireless Protected Access) or WEP 2: ■ An interim solution to replace WEP. ■ Aimed to work well with hardware designed for WEP. ■ Still use RC 4 for encryption. ■ Several new elements were introduced: - TKIP (Temporal Key Integrity Protocol). - MIC (message integrity code) for preventing forgery. - IV=48 bits for preventing replay attack. - A mixing function for generating per-frame key. 44

Illustration of WPA (or WEP 2): 802. 11 Hdr data TKIP || MIC Function WEP Key Per-Frame Key K Mixing Function K’ RC 4 Encryption Integrity Key 802. 11 Hdr IV Data MIC 45

WPA 2: ■A long term solution specified by IEEE 802. 11 i in 2004. ■ Aimed to work with new hardware. ■ Use AES (in a new mode called CCM) for encryption. ■ Several new elements were introduced: - The base key K=128 bits. - MIC is 64 bits for preventing forgery. - IV=48 bits for preventing replay attack. - Packet sequence number is used to generate IV. 46

Format of WAP 2: IV Key ID Encrypted by AES 802. 11 Hdr 802. 11 i Hdr Data MIC FCS Authenticated by MIC - FCS: Frame Check Sequence - Check here for some nice diagrams for Wi-Fi Encryption: http: //xirrus. gcsmarket. com/pdfs/Xirrus_Wi. Fi. Encryption. pdf 47