security in wireless lans l.
Skip this Video
Loading SlideShow in 5 Seconds..
Security in Wireless LANs PowerPoint Presentation
Download Presentation
Security in Wireless LANs

Loading in 2 Seconds...

play fullscreen
1 / 52

Security in Wireless LANs - PowerPoint PPT Presentation

  • Uploaded on

Security in Wireless LANs. Presented by Raquel S. Whittlesey-Harris 6/25/02. Contents. Wireless LANs, An Overview Security Threats Basic Definitions HIPERLAN 802.11 Solutions References. Wireless LANs, An Overview. What is Wireless Local Area Network technology (WLAN)?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security in Wireless LANs' - nili

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security in wireless lans

Security in Wireless LANs

Presented by Raquel S. Whittlesey-Harris


  • Wireless LANs, An Overview
  • Security Threats
  • Basic Definitions
  • 802.11
  • Solutions
  • References
wireless lans an overview
Wireless LANs, An Overview
  • What is Wireless Local Area Network technology (WLAN)?
    • A wireless (w/o wired cables) data communication system that uses shared radio waves or infrared light to transmit and receive data
    • Provides freedom and flexibility to connect to a network or internet w/o being physically connected with a cable or modem
wireless lans an overview4
Wireless LANs, An Overview
  • Communication is via air, walls, ceilings and cement structures (throughout or between buildings)
    • Can alleviate network deployment costs
    • Solve some installation problems of older structures (asbestos)
    • Essentially an unlimited number of points for attacking
  • We will take a look at two standards
    • IEEE’s 802.11
wireless lans an overview5
Wireless LANs, An Overview
  • Peer-to-Peer (Adhoc)
    • Wireless devices have no access point connection and each device communicates with each other directly
wireless lans an overview6
Wireless LANs, An Overview
  • Client/Server (infrastructure networking)
    • Extends an existing wired LAN to wireless devices by adding an access point (bridge and central controller)
  • What is a secure environment?
    • No system is 100% secure
    • Generally applications, industries apply their own set of security tolerances
      • E.g., DHHA (Department of Health and Human Services) has created a set of rules called the HIPAA (Health Insurance Portability and Accountability Act) to regulate the use and discloser of protected health information
security threats
Security Threats
  • Denial-of-Service
    • The system or network becomes unavailable to legitimate users or services are interrupted or delayed (due to interference)
    • Equipment can be purchased from electronic stores easily and prices are reasonable
    • Protection is expensive and difficult
      • Only total solution is to have the wireless network inside of the faraday cage (applicable in rare cases)
    • Easy however to locate the transceiver used to generate the interference
security threats9
Security Threats
  • Interception/Eavesdropping (confidentiality)
    • Identity of a user is intercepted for use later to masquerade as a legitimate user
    • Data stream is intercepted and decrypted for the purpose of disclosing private information
    • Radio band transmissions are readily intercepted
      • There is no means to detect if a transmission has been eavesdropped
      • Strong encryption is necessary to keep the contents of intercepted signals from being disclosed
security threats10
Security Threats
    • The frequency band and transceiver power has a great effect on the range where the transmission can be heard
      • 2-5 MHz radio band and 1 W transceiver power
        • W/o electromagnetic shielding the network transmissions may be eavesdropped from outside of the building for which the network is operating
  • Manipulation
    • Data has been compromised
      • Inserted, deleted or otherwise modified
      • Can occur during transmission or to stored data
      • E.g., a virus
security threats11
Security Threats
  • Masquerading
    • The act of an adversary posing as a legitimate user in order to gain access to a wireless network or system served by the network
    • Strong authentication is required to prevent such attacks
  • Repudiation
    • User denies performing an action on the network
      • Sending a particular message
      • Accessing the network
    • Again strong authentication of user’s is required, integrity assurance methods, and digital signatures
security threats12
Security Threats
  • Transitive Trust
    • Intrusion by fooling the LAN to trust the mobile controlled by the intruder
    • Authentication again important
  • Infrastructure
    • These attacks are based on weaknesses in the system
      • Software, configuration, hardware failure, etc.
    • Protection almost impossible
      • Best to just test the system as thoroughly as possible
basic definitions
Basic Definitions
  • Confidentiality
    • Are you the only one who is viewing information specific to you or authorized users?
  • Integrity
    • Are you communicating with whom you think?
    • Is the data you are looking at correct or has it been tampered with?
  • Availability
    • Are the required services there when you need them?
  • Authentication
    • Are you who you say you are?
  • Developed by the European Telecommunications Standards Institute (ETSI)
  • Similar to 802.11
  • HiperLAN/1
    • Provides communications up to 20 Mbps in the 5-GHz range of the radio frequency spectrum
  • HiperLAN/2
    • Provides communications up to 54 Mbps in the same FR band
    • Compatible with 3G WLAN systems (data, images, voice)
  • Defines the MAC sublayer, Channel Access Control (CAC) sublayer and the physical layer
    • Currently the defined physical layers use 5.15 – 5.30 GHz frequency band and supports
      • Up to 2,048 Kbps synchronous traffic
      • Up to 25 Mbps asynchronous traffic
  • Properties
    • Provides a service that is compatible with the ISO MAC service definition in ISO/IEC 15 802-1
    • Compatible with the ISO MAC bridges specification ISO/IEC 10 038 for interconnection with other LANS
    • Ad-hoc or arranged topology possible
    • Supports mobility
    • May have coverage beyond the radio range limitation of a single node
    • Supports asynchronous and time-bounded communication by means of a Channel Access Mechanism (CAM) – priorities provide hierarchical independence of performance
    • Power Management
  • Defines an optional encryption-decryption scheme
    • All HM-entities (HiperLAN MAC) use a common set of shared keys (HIPERLAN key-set)
      • Each has a unique key identifier
    • Plain text is ciphered by XOR operation with random sequence generated by a confidential algorithm
      • Uses the secret key and an initialization vector sent in every MPDU (MAC Protocol Data Unit) as input
  • HiperLAN does not define any kind of authentication
802 11
  • Defined by IEEE to cover the physical layers and MAC sublayers for WLANs
    • 3 physical layers
      • Frequency Hopping Spread Spectrum (FHSS)
      • Direct Sequence Spread Spectrum (DSSS or DS-CDMA)
      • Baseband Infrared
    • DSSS is mostly used since FHSS cannot support high speeds without violating FCC regulations
    • All physical layers offer2 Mbps data rate
    • Radio uses 2,400 – 2,483.5 MHz frequency band
    • MAC layer is common to all physical layers
802 1121
  • 802.11 implementation
802 1122
  • Properties
    • Supports Isochronous and Asynchronous
    • Supports priority
    • Association/Disassociation to an AP in a BSS or ESS
    • Re-Association or Mobility Management to transfer of association from one AP to another
    • Power Management (battery preservation)
    • Authentication to establish identity of terminals
    • Acknowledgement to ensure reliable wireless transmission
    • Timing synchronization to coordinate the terminals
    • Sequencing with duplication detection and recovery
    • Fragmentation/Re-assembly
802 1123
  • Defines two authentication schemes
    • Open System Authentication
      • All mobiles requesting access are accepted
    • Shared Key Authentication
      • Uses shared key cryptography to authenticate
802 1125
  • Optional Wired Equivalent Privacy (WEP) mechanism
    • Confidentiality and Integrity of traffic
    • Station-to-Station
      • No end-to-end security
    • Integrity Check (ICV)
    • Implements RC4 PRNG[8] algorithm
      • 40 bit secret key
      • 24 bit initialization vector (IV)
802 1126
  • RC4
    • Input: IV, Random Key, Plaintext
    • IV and key is input to E  keystream output
    • Keystream output is XORed with plain text  ciphertext
    • Keystream output is also fed back to I (to cause a variation as a function of IV and key); must not use same keystream twice
    • IV sent as an unencrypted part of the ciphertext stream (integrity must be assured)
802 1127
  • RC4
    • Supports variable length keys
      • Most commonly used are 40 bits for export controlled systems and 128 bits for domestic applications
      • 128 bit encryption (104 bits key)
    • Standard does not specify key management or distribution
      • Provide a globally shared array of 4 keys
      • Supports an additional array that associates a unique key with each user station
802 1128
  • RC4
    • A CRC32 bit stream is appended to the plaintext message to provide integrity
      • Does not ensure cryptographic integrity
802 1129
  • Vulnerabilities and Weaknesses
    • Authentication
      • Authentication and an association (binding between the station and access point (AP)) is required before transmission
        • States
          • Unauthenticated & unassociated
          • Authenticated & unassociated
          • Authenticated and associated
      • Two authentication methods mentioned earlier
        • Open System Authentication (OSA)
        • Shared Key Authentication
802 1130
  • OSA
    • Default authentication method
    • Two management frames exchanged
      • Station  station MAC address, identifier (authentication request)  AP
      • AP  status field (authentication success or failure)
        • Authenticated and unassociated
    • Two frames to establish association
      • Most vendors implement a wireless access control mechanism based on examining the station MAC address and blocking unwanted stations from associating
        • Requires that a list of authorized MAC addresses be loaded on each AP
802 1131
  • OSA Weaknesses
    • Loading and identifying MAC addresses is manually intensive
    • Snoopers can get valid MAC addresses and modify a station to use the valid address
      • Potential to create problems with 2 addresses using the network at the same time
802 1132
  • Shared Key Authentication
    • Uses the optional WEP algorithm along with a challenge response system to mutually authenticate a station and an AP
      • APs  beacon (announce presence)
      • Station  beacon (AP address)
      • Station  management frame (seq #1)  AP
      • AP  authentication challenge (seq #2)  Station
        • Psuedo-random number + shared key + random IV
          • Unencrypted
802 1133
  • SKA
      • Station  challenge
        • Copies into a new frame which is encrypted (WEP)
          • Shared key, new IV
        •  AP
      • AP  frame
        • Decrypts,
        • Checks CRC32
        • Checks challenge
    • Repeat to authenticate the AP
802 1135
  • Shared Key Authentication Weaknesses
    • Snoopers monitor the second (unencrypted challenge) and third (encrypted challenge) exchanges
      • Plaintext of the original frame including the random challenge
      • Encrypted frame containing the challenge
      • IV used to encrypt the challenge
    • XOR of plaintext, ciphertext  keystream to encrypt the challenge response frame
802 1136
  • Snooper does not have shared secret key but with keystream can enter the network
    • Requests authorization to the network
    • AP sends new challenge (new IV)
    • Compute a valid CRC-32 checksum
    • Encrypts the challenge with the keystream acquired earlier
    • Appends IV used and sends the frame
  • Further penetration cannot be achieved without the proper secret key
802 1137
  • RC4 Encryption
    • WEP does not implement a secure version of RC4 and violates several other cryptographic design and implementation principles
      • Suggestions have been made to not only increase the key sizes and strengthen key management,
        • Replace encryption algorithm
        • Addition of a session key derivation algorithm
        • Lengthening the IV to 128 bits
        • Adding a sequence number in dynamic keyed implementations
        • Addition of 128 bit cryptographic integrity check
        • Additional encryption of other payload elements
802 1138
  • Interception
    • 802.11 specifies three physical layers,
      • Infrared (IR)
      • Frequency Hopping Spread Spectrum (FHSS)
      • Direct Sequence Spread Spectrum (DSSS)
    • Broadcasts 900 MHz, 2.4 GHz, 5 GHz
    • Commercial wireless devices is readily capable of receiving all signals
    • It is also fairly simple to modify the device drivers or flash memory to monitor all traffic
802 1139
  • Keystream Reuse
    • Standard recommends but does not require changing the IV for every frame transmitted
      • No guidance is provided for selecting or initializing the IV
    • Two packets using the same IV and key allows a snooper to discover plaintext
      • The XOR of two ciphertexts  the XOR of two plaintexts
        • Knowing one plaintext is all it takes
    • Berkeley indicates that some PCMCIA cards reset the IV to zero when initialized and then increment the IV by one for each packet transmitted
802 1140
  • Standard specifies the size of the IV field to be 3 octets (24 bits)
    • IV will rollover mode 24
      • Reused after 224 packets
    • Since MAC frames range in size from 34 bytes to 2346 bytes
      • Min rollover occurs at 224 x 34 bytes (570 MB)
      • Max rollover occurs at 224 x 2346 bytes (40 GB)
    • Berkeley indicates a busy AP will rollover in about a half of a day operating at half capacity
  • Reading the IV is trivial since it is transmitted unencrypted
802 1141
  • Integrity Assurance
    • The ICV (Integrity Check Value)
      • Plaintext is concatenated with the ICV to form the plaintext to be encrypted
      • CRC32 – linear function
        • Possible to change 1 or more bits in the original plaintext and predict which bits in the CRC32 checksum to modify
        • Checksum is performed over the entire MAC packet
          • Includes higher level protocol routing address and port fields (can redirect message when changing IP address)
      • 32 bits (4 octets) in MAC frame
  • IEEE is working on upgrade of security standard
  • Vendors can implement key management (external to the standard)
    • Limits choices (interoperability)
  • VPN (Virtual Private Network)
    • Provides a secure and dedicated channel over an un-trusted network
      • Provides authentication and full encryption
  • A solution
    • Requirement – seamless integration into existing wired networks
      • link layer security is selected over end-to-end (machine-to-machine)
    • Requirement – two-way authentication
    • Requirement – flexibility to utilize the future advances in cryptography
  • Authentication – public key cryptography
    • Certificates contain
      • {serial number, validity period, machine name, machine public key, CA name}
    • Mobile  {Cert_Mobile, CH1, Kist of SKCSs}  Base
      • CH1 is a random generated number
      • SKCSs is transmitted to negotiate algorithm used
        • Algorithm and key size are transmitted in list
    • Base  verify signature on Cert_Mobile
      • Proves the public key in the certificate belongs to a certified mobile host
        • Not sure if the certificate belongs to the mobile
      • If certificate is invalid
        • Reject connection
  • Base  {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, SH1, List of SKCSs}}  Mobile
    • Save RN1 for later use
    • Chosen SKCS is most secure from those supported by both
  • Mobile  validates Cert_Base, verify signature of message (using public key of Base)
    • If CH1 and List of SKCS match those sent by mobile to base
      • Authenticate base
  • Mobile  {E(Pub_Base, RN2), Sig{Priv_Mobile,{E(Pub_Base, RN2), E(Pub_Mobile, RN1)}}}  Base
    • RN2 is randomly generated by mobile
    • RN1 XOR RN2 is used as a session key for all communications remaining
    • Base  verifies the signature of the message using Pub_Mobile
      • Authenticate mobile if valid
      • Decrypt E(Pub_Base, RN2) with private key
      • Form session key RN1 XOR RN2
  • Session key formed in two parts sent in different messages for better protection
    • Compromising the private key does not compromise the traffic
    • Need to know both RN1 and RN2
  • These transactions are to occur at the MAC layer prior to network access
  • Confidentiality can be achieved using an existing symmetric cryptography algorithm
    • IDEA – International Data Encryption Algorithm
      • Uses Block Cipher with a 128-bit key
    • DES – Data Encryption Standard
      • Private key encryption (72 quadrillion possible keys)
      • Restricted for exportation by US Government
    • Shared key is agreed using mechanism above
  • Integrity can be achieved using a fingerprint generated by a one-way hash function
    • MD5
    • SHA
  • Key Change Protocol
    • Initialized by base or mobile
    • E.g.,
      • Base  Signed(Priv_Base,{E(Pub_Mobile, New_RN1), E(Pub_Mobile,RN1) })  Mobile
      • Mobile  Signed(Priv_Mobile,{E(Pub_Base, New_RN2), E(Pub_Base, RN2) })  Base
    • New RN1 XOR RN2 value is used
  • Key Management
    • One possible solution is to use the smart card technology
      • CA creates the private and public keys inside the smart card
        • Private key never readable from card
      • CA signs the public key with his private key and stores the public key to the smart card
      • Smart card is given to the end user to use in any wireless LAN mobile
  • Uskela, Sami, Security in Wireless Local Area Networks, Department of Electrical and Communications Engineering, Helsinki University of Technology, December 1997
  • Mahan, Robert, Security in Wireless Networks, SANS Institute, November 2001
  • Laing, Alicia, The Security Mechanism for IEEE 802.11 Wireless Networks, SANS Institute, November 2001
  • Ellingson, Jorgen, Layers One & Two of 802.11 WLAN Security, SANS Institute, August 2001
  • Fidler, Beau, Mobile Medicine. SANS Institute, August 2001
  • Hurley, Chad, Isolating and Securing Wireless LANs, SANS Institute, October 2001
  • Conn, Dale, Security Aspects of Mobile IP, SANS Institute, December 2001
  • Voorhees, James, The Limits on Wireless Security: 802.11 in early 2002, SANS Institute, January 2002
  • McAleer, Sean, A Defense-in-Depth Approach for Securing Mobile Devices and Wireless LANs, SANS Institute, January 24, 2001
  • Ow, Eng Tiong, IEEE 802.11b Wireless LAN: Security Risks, SANS Institute, September 2001