MAC Layer Security

MAC Layer Security

Outline • MAC Basics • MAC Layer Security in Wired Networks • MAC Layer Security in Wireless Networks

Multiple Access Links and Protocols Three types of “links”: • Point-to-point (single wire, e.g. PPP, SLIP) • Broadcast(shared wire or medium; e.g, Ethernet, Wavelan, etc.) • Switched (e.g., switched Ethernet, ATM etc)

Multiple Access protocols • Single shared communication channel • Two or more simultaneous transmissions by nodes: interference • Only one node can send successfully at a time • Multiple access protocol: • Distributed algorithm that determines how stations share channel, i.e., determine when station can transmit • Communication about channel sharing must use channel itself! • What to look for in multiple access protocols: • Synchronous or asynchronous • Information needed about other stations • Robustness (e.g., to channel errors) • Performance

MAC Protocols: a taxonomy Three broad classes: • Channel Partitioning • TDMA: time division multiple access • FDMA: frequency division multiple access • CDMA (Code Division Multiple Access) Read! • Random Access • Allow collisions • “Recover” from collisions • “Taking turns” • Tightly coordinate shared access to avoid collisions Goal: efficient, fair, simple, decentralized

Random Access protocols • When node has packet to send • Transmit at full channel data rate R. • No a priori coordination among nodes • Two or more transmitting nodes -> “collision”, • Random access MAC protocolspecifies: • How to detect collisions • How to recover from collisions (e.g., via delayed retransmissions) • Examples of random access MAC protocols: • Slotted ALOHA and ALOHA • CSMA and CSMA/CD

CSMA: Carrier Sense Multiple Access) CSMA: listen before transmit: • If channel sensed idle: transmit entire pkt • If channel sensed busy, defer transmission • Persistent CSMA: retry immediately with probability p when channel becomes idle (may cause instability) • Non-persistent CSMA: retry after random interval • Human analogy: don’t interrupt others!

CSMA collisions Spatial layout of nodes along Ethernet Collisions can occur: Propagation delay means two nodes may not year hear each other’s transmission Collision: Entire packet transmission time wasted Note: Role of distance and propagation delay in determining collision prob.

CSMA/CD (Collision Detection) CSMA/CD:Carrier sensing, deferral as in CSMA • Collisions detected within short time • Colliding transmissions aborted, reducing channel wastage • Persistent or non-persistent retransmission • Collision detection: • Easy in wired LANs: measure signal strengths, compare transmitted, received signals • Difficult in wireless LANs: receiver shut off while transmitting • Human analogy: Polite conversationalist

CSMA/CD collision detection

“Taking Turns” MAC protocols Channel partitioning MAC protocols: • Share channel efficiently at high load • Inefficient at low load: delay in channel access, 1/N bandwidth allocated even if only 1 active node! Random access MAC protocols • Efficient at low load: single node can fully utilize channel • High load: collision overhead “Taking turns” protocols Look for best of both worlds!

“Taking Turns” MAC protocols Token passing: • Control token passed from one node to next sequentially. • Token message • Toncerns: • token overhead • latency • single point of failure (token) Polling: • Master node “invites” slave nodes to transmit in turn • Request to Send, Clear to Send msgs • Concerns: • Polling overhead • Latency • Single point of failure (master)

Summary of MAC protocols • What do you do with a shared media? • Channel Partitioning, by time, frequency or code • Time Division,Code Division, Frequency Division • Random partitioning (dynamic), • ALOHA, S-ALOHA, CSMA, CSMA/CD • Carrier sensing: easy in some technologies (wire), hard in others (wireless) • CSMA/CD used in Ethernet • Taking Turns • Polling from a central cite, token passing

LAN Addresses and ARP 32-bit IP address: • Network-layer address • Used to get datagram to destination network (recall IP network definition) LAN (or MAC or physical) address: • Used to get datagram from one interface to another physically-connected interface (same network) • 48 bit MAC address (for most LANs) burned in the adapter ROM

LAN Addresses and ARP Each adapter on LAN has unique LAN address

LAN Address (more) • MAC address allocation administered by IEEE • Manufacturer buys portion of MAC address space (to assure uniqueness) • Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address • MAC flat address ⟹portability • Can move LAN card from one LAN to another • IP hierarchical address NOT portable • Depends on network to which one attaches

223.1.1.1 223.1.2.1 E B A 223.1.1.2 223.1.2.9 223.1.1.4 223.1.2.2 223.1.3.27 223.1.1.3 223.1.3.2 223.1.3.1 Recall earlier routing discussion Starting at A, given IP datagram addressed to B: • Look up net. address of B, find B on same net. as A • Link layer send datagram to B inside link-layer frame Frame source, dest address Datagram source, dest address A’s IP addr B’s IP addr B’s MAC addr A’s MAC addr IP payload Datagram Frame

Question: how to determine MAC address of B given B’s IP address? ARP: Address Resolution Protocol • Each IP node (Host, Router) on LAN has ARPmodule, table • ARP Table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> < ………………………….. > • TTL (Time To Live): Time after which address mapping will be forgotten (typically 20 min)

ARP protocol • A knows B's IP address, wants to learn physical address of B • A broadcasts ARP query pkt, containing B's IP address • All machines on LAN receive ARP query • B receives ARP packet, replies to A with its (B's) physical layer address • A caches (saves) IP-to-physical address pairs until information becomes old (times out) • Soft state: information that times out (goes away) unless refreshed

Routing to another LAN Walkthrough: routing from A to B via R • In routing table at source Host, find router 111.111.111.110 • In ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc A R B

A creates IP packet with source A, destination B • A uses ARP to get R’s physical layer address for 111.111.111.110 • A creates Ethernet frame with R's physical address as dest, Ethernet frame contains A-to-B IP datagram • A’s data link layer sends Ethernet frame • R’s data link layer receives Ethernet frame • R removes IP datagram from Ethernet frame, sees its destined to B • R uses ARP to get B’s physical layer address • R creates frame containing A-to-B IP datagram sends to B A R B

Ethernet “Dominant” LAN technology: • Cheap: $20 for 100Mbps! • First widely used LAN technology • Simpler, cheaper than token LANs and ATM • Kept up with speed race: 10, 100, 1000 Mbps Metcalfe’s Ethernet sketch

Ethernet Frame Structure Sending adapter encapsulates IP datagram (or other network layer protocol packet) in Ethernet frame Preamble: • 7 bytes with pattern 10101010 followed by one byte with pattern 10101011 • Used to synchronize receiver, sender clock rates

Ethernet Frame Structure (more) • Addresses: 6 bytes, frame is received by all adapters on a LAN and dropped if address does not match • Type:Indicates the higher layer protocol, mostly IP but others may be supported such as Novell IPX and AppleTalk) • CRC:Checked at receiver, if error is detected, the frame is simply dropped

Ethernet: uses CSMA/CD A: sense channel, if idle then { transmit and monitor the channel; If detect another transmission then { abort and send jam signal; update # collisions; delay as required by exponential backoff algorithm; goto A } else {done with the frame; set collisions to zero} } else {wait until ongoing transmission is over and goto A}

Ethernet’s CSMA/CD (more) Jam Signal: make sure all other transmitters are aware of collision; 48 bits; Exponential Backoff: • Goal: adapt retransmission attempts to estimated current load • heavy load: random wait will be longer • First collision: choose K from {0,1}; delay is K x 512 bit transmission times • After second collision: choose K from {0,1,2,3}… • After ten or more collisions, choose K from {0,1,2,3,4,…,1023}

MACFloodingAttack • Problem:attackercancauselearningtabletofill • Generatemanypacketstovaried(perhapsnonexistent)MACaddresses • Thisharmsefficiency • Effectivelytransformsswitchintohub • Wastesbandwidth,end hostCPU • Thisharmsprivacy • Attackercaneavesdropbypreventingswitchfromlearningdestinationofaflow • Causesflow’spackettobefloodedthroughoutLAN • DHCP can be flooded with bogus IP “address accepted by host” responses, deny IP connectivity to devices

MACSpoofingAttack • HostpretendstoowntheMACaddressofanotherhost • Easytodo:mostEthernetadaptersallowtheiraddresstobemodified • Powerful:canimmediatelycausecompleteDoStospoofedhost • Alllearningtableentriesswitchtopointtotheattacker • Alltrafficredirectedtoattacker • CanenableattackertoevadeACLssetbased on MAC information

ARPSpoofingAttack HostB HostA 10.0.0.1 MAC: 10.0.0.3 MAC: 0000:ccab 0000:9f1e GratuitiousARP: “MyMAC is 0000:7ee5andI haveIPaddress 10.0.0.3” Attacker 10.0.0.6 MAC: 10.0.0.3 0000:7ee5 0000:7ee5 • AttackersendsfakeunsolicitedARPreplies • Attackercaninterceptforward-pathtraffic • Caninterceptreverse-pathtrafficbyrepeatingattackforsource • GratuitiousARPsmakethiseasy – Onlyworkswithinsamesubnet/VLAN Source: M. Caesar (UIUC)

CountermeasurestoARPSpoofing • IgnoreGratuitiousARP • Problems:gratuitiousARPisuseful,doesn’t completelysolvetheproblem • DynamicARPInspection(DAI) • Switchesrecord<IP,MAC>mappingslearnedfromDHCPmessages,dropall mismatchingARPreplies • Intrusiondetectionsystems(IDS) • Monitorall<IP,MAC>mappings,signal alarms • Can also partition Ethernet networks into “virtual” LANs that are disjoint from each other Source: M. Caesar (UIUC)

WEP Design Goals • Symmetric key crypto • Confidentiality • End host authorization • Data integrity • Self-synchronizing: each packet separately encrypted • Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers) • Efficient • Implementable in hardware or software

keystream generator key keystream Review: Symmetric Stream Ciphers • Combine each byte of keystream with byte of plaintext to get ciphertext: • m(i) = i-thunit of message • ks(i) = i-thunit of keystream • c(i) = i-thunit of ciphertext • c(i) = ks(i) m(i) ( = exclusive or) • m(i) = ks(i) c(i) • WEP uses RC4

Stream Cipher and Packet Independence • Recall design goal: each packet separately encrypted • If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted • Need to know where we left off for packet n • WEP approach: initialize keystream with key + new IV for each packet: keystream generator Key+IVpacket keystreampacket

encrypted IV KeyID data ICV MAC payload WEP Encryption (1) • Sender calculates Integrity Check Value (ICV) over data • Four-byte hash/CRC for data integrity • Each side has 104-bit shared key • Sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key • Sender also appends keyID (in 8-bit field) • 128-bit key inputted into pseudo random number generator to get keystream • Data in frame + ICV is encrypted with RC4: • B\bytes of keystream are XORed with bytes of data & ICV • IV & keyID are appended to encrypted data to create payload • Payload inserted into 802.11 frame

WEP Encryption (2) New IV for each frame

encrypted IV KeyID data ICV MAC payload WEP decryption overview • Receiver extracts IV • Inputs IV, shared secret key into pseudo random generator, gets keystream • XORs keystream with encrypted data to decrypt data + ICV • Verifies integrity of data with ICV • Note: Message integrity approach used here is different from MAC (message authentication code) and signatures (using PKI).

K (R) A-B End-Point Authentication w/ Nonce Nonce:Number (R) used only once –in-a-lifetime How to prove Alice “live”: Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!

WEP Authentication authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce • Notes: • Not all APs do it, even if WEP is being used • AP indicates if authentication is necessary in beacon frame • Done before association

Breaking 802.11 WEP Encryption Security hole: • 24-bit IV, one IV per frame ⟹ IVs eventually reused • IV transmitted in plaintext ⟹IV reuse detected Attack: • Trudy causes Alice to encrypt known plaintext d1d2d3d4 … • Trudy sees: ci = diXORkiIV • Trudy knows cidi, so can compute kiIV • Trudy knows encrypting key sequence k1IVk2IVk3IV… • Next time IV is used, Trudy can decrypt!

802.11i: Improved Security • Numerous (stronger) forms of encryption possible • Provides key distribution • Uses authentication server separate from access point

WPA: WiFi Protected Access • “Snapshot of 802.11i” developed Oct. 2002 to fix WEP flaws • Short-term solution: patch WEP using same hardware • Temporal Key Integrity Protocol (TKIP) generates per-packet keys • Keys have short lifetime; continuously “refreshed” • TKIP includes Message Authentication Code for data integrity

WPA2: A Long-Term Solution • WPA2 provides confidentiality, data integrity, protection against replay attacks • Uses AES in counter mode with cipher block chaining (CBC) and message authentication code (MAC) with a different key • This is the Counter mode/CBC-MAC Protocol (CCMP) • Both WPA and WPA2 use 802.11i authentication mechanisms, described next

2 3 3 4 802.11i: Four Phases of Operation AP: access point STA: client station AS: Authentication server wired network 1 Discovery of security capabilities STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through” STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

EAP: Extensible Authentication Protocol • EAP: end-end client (mobile) to authentication server protocol • EAP sent over separate “links” • Mobile-to-AP (EAP over LAN) • AP to authentication server (RADIUS over UDP) wired network EAP TLS EAP RADIUS EAP over LAN (EAPoL) IEEE 802.11 UDP/IP

Simple Messages in Networking Systems • The messages that are short, unencrypted and used for controlling • Examples • SYN message in TCP • Keep alive message in BGP • RTS/CTS/null data frames in 802.11 WLANs 47

Null Data Frames in 802.11 WLANs • A special type of data frame that contains no data • Widely used for power management, channel scanning and association keeping alive • Security vulnerabilities of null data frames in 802.11 WLANs • Functionality based Denial-of-Service attack • Implementation based fingerprinting attack 48

Null Data Frame Format Frame body part is empty Indicates whether frame body is encrypted 0: sleep/awake  awake 1: awake  sleep 49

Power Management in 802.11 WLANs beacon data awake => sleep beacon interval TIM = 0 =1 =1 =0 =0 time access point station

MAC Layer Security