謝續平

765 views
725 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
765
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

謝續平

  1. 1. Wireless Security - Attacks and Countermeasures Shiuhpyng Shieh Director, Taiwan Information Security Center (TWISC@NCTU) Director, NCTU-Cisco Internet Technology Lab Prof., CS Dept., Nat’l Chiao Tung Univ.
  2. 2. Contents <ul><li>Wireless Security & Threats </li></ul><ul><li>Security Challenges and Issues </li></ul><ul><li>Wireless Security over Multi-Networks </li></ul><ul><li>WiSec - Wireless Security Operation Center </li></ul><ul><li>SWOON - Secure Wireless Overlay Observation Network (joint with UC Berkeley) </li></ul><ul><li>Conclusions </li></ul>
  3. 3. Sponsorship of Taiwan Information Security Center <ul><li>Sponsored by National Science Council and other institutes (Telecommunication Technology Center of Taiwan, ITRI, DoD of Taiwan) </li></ul><ul><li>Fifteen professors from six universities involved. </li></ul>
  4. 4. Collaboration
  5. 5. NCTU-Cisco Internet Technology Lab <ul><li>NCTU-Cisco Partnership </li></ul><ul><li>Research and develop software tools and infrastructure for assuring the security of network software </li></ul>
  6. 6. Lab Facility in CIT
  7. 7. Research Topics at TWISC <ul><li>Security across Wireless Multi-Networks </li></ul><ul><ul><li>WLAN </li></ul></ul><ul><ul><ul><li>Wireless Security Protocols: WEP, WPA </li></ul></ul></ul><ul><ul><ul><li>Software Security </li></ul></ul></ul><ul><ul><ul><li>Light-Weight Cryptosystems </li></ul></ul></ul><ul><ul><ul><li>Intrusion Detection/Prevention </li></ul></ul></ul><ul><ul><li>Ad Hoc Networks </li></ul></ul><ul><ul><ul><li>Secure Routing </li></ul></ul></ul><ul><ul><ul><li>DDoS attacks: source end, victim end, intermediate nodes </li></ul></ul></ul><ul><ul><ul><li>IP Traceback: packet logging, packet marking </li></ul></ul></ul><ul><ul><li>Wireless Sensor Networks </li></ul></ul><ul><ul><ul><li>Limited hardware, memory and energy resources </li></ul></ul></ul><ul><ul><ul><li>More vulnerable </li></ul></ul></ul><ul><ul><ul><li>Data aggregation </li></ul></ul></ul><ul><ul><li>Others </li></ul></ul><ul><ul><ul><li>Wi-Max </li></ul></ul></ul><ul><ul><ul><li>PCS: GSM, 3G, … </li></ul></ul></ul><ul><li>Prototype Systems </li></ul><ul><ul><li>WiSec - Wireless Security Operation Center </li></ul></ul><ul><ul><li>SWOON - Secure Wireless Overlay Observation Network </li></ul></ul>
  8. 8. Wireless Security & Threats – Bringing You a Secure Wireless World <ul><li>When Reliability, Security, and Wireless </li></ul><ul><li>Meet! </li></ul><ul><li>Heterogeneous Multi-Networks </li></ul>
  9. 9. Introduction to Wireless Access <ul><li>Wireless </li></ul><ul><ul><li>Convenient </li></ul></ul><ul><ul><li>Mobility </li></ul></ul><ul><ul><li>Usually limited computation power </li></ul></ul><ul><li>However </li></ul><ul><ul><li>Air media - easy to listen </li></ul></ul><ul><ul><li>Mobile device – lack of protection </li></ul></ul>
  10. 10. Wireless Security Challenges <ul><li>Wireless security challenges: </li></ul><ul><ul><li>Physical media can easily be sniffed. </li></ul></ul><ul><ul><li>Mobile computing needs to preserve battery power. </li></ul></ul><ul><ul><li>Calculation costs more on a mobile platform. </li></ul></ul><ul><li>War-driving: drive around Bay area, see what 802.11 networks available? </li></ul><ul><ul><li>Most AP are accessible from public roadways </li></ul></ul><ul><ul><li>85% use no encryption/authentication </li></ul></ul><ul><ul><li>packet-sniffing and various attacks easy! </li></ul></ul><ul><ul><li>Various attack tools – AirSnort(airsnort.shmoo.com), NetStumbler(http://www.hacker.org.tw/) </li></ul></ul><ul><ul><li>Moveable hardware </li></ul></ul>
  11. 11. WLAN Security Threats <ul><li>Passive Attacks </li></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Traffic analysis (cryptanalysis) </li></ul></ul><ul><li>Active Attacks </li></ul><ul><ul><li>Masquerade </li></ul></ul><ul><ul><li>Replay </li></ul></ul><ul><ul><li>Message modification </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><li>Hop Spot Attacks </li></ul>
  12. 12. Security Issues of Wireless Networks <ul><li>Security is major issue </li></ul><ul><ul><li>Protection of Mobile Devices </li></ul></ul><ul><ul><li>Software Security – program vulnerabilities </li></ul></ul><ul><ul><li>Security Protocols - authentication </li></ul></ul><ul><li>Different architecture has different security vulnerabilities </li></ul><ul><li>We will introduce architecture and security vulnerabilities separately </li></ul>
  13. 13. Wireless Security Mechanisms <ul><li>Mobile device protection </li></ul><ul><li>Software/program security </li></ul><ul><li>Security protocols </li></ul><ul><ul><li>GSM </li></ul></ul><ul><ul><li>3G </li></ul></ul><ul><ul><li>Wi-Fi (Wireless LAN) </li></ul></ul><ul><ul><ul><li>WEP </li></ul></ul></ul><ul><ul><ul><li>WPA </li></ul></ul></ul><ul><ul><ul><ul><li>IEEE 802.1x </li></ul></ul></ul></ul><ul><ul><li>Wi-Max </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>RFID </li></ul></ul><ul><ul><li>Wireless Sensor Networks </li></ul></ul>
  14. 14. Wi-Fi (Wireless LAN)
  15. 15. Wireless Characteristics - open system <ul><li>allows anyone to begin a conversation with the access point, and provides no security whatsoever to the client who can talk to the AP </li></ul>Associate request Associate response Client Access Point (AP)
  16. 16. WLAN Security Mechanism <ul><li>WEP (Wired Equivalent Privacy) </li></ul><ul><li>802.11i </li></ul><ul><ul><li>WPA = 802.1x +EAP +TKIP +MIC </li></ul></ul>
  17. 17. WiMAX PKM Protocol SS BS 1. Authenticate SS 2. Generate AK, encrypt with public key decrypt with AK 1. Verify HMAC-Digest with SHA 2.Generate TEK 3. Using AK to generate KEK, then generate TEK 1. Verify HMAC-Digest with SHA 2. Using AK to generate KEK, then generate TEK authentication information X.509 certificate authorization request X.509 certificate, capability, Basic CID authorization reply encrypted AK, SAIDs, SQN AK ,… AK exchange key request SAID, HMAC-Digest,… key reply encrypted TEK, CBC IV, HMAC-Digest,… Data encrypted by TEK TEK exchange
  18. 18. GSM Network Architecture <ul><ul><li>  </li></ul></ul>MS: Mobile Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center OMS: Operation and Maintenance System VLR: Visited Location Register HLR: Home Location Register AUC: Authentication Center EIR: Equipment Identify Register                                  Voice Traffic BSC MS PSTN/ISDN BTS EIR AUC HLR VLR MSC OMS Um A-bis Mobility mgt A
  19. 19. 3G Network Architecture Circuit/ Signaling Gateway 2G/2.5G 2G IN Services Call Agent Feature Server(s) RNC 3G Data + Packet Voice Circuit Switch Circuit Network Packet Network (Internet) Packet Gateway Radio Access Control Voice Mobility Manager IP Core Network RAN: Radio Access Network RNC: Radio Network Controller IP RAN Circuit switch Packet switch
  20. 20. The technologies - RFID <ul><li>Provides a means of retrieving information stored on a tag using radio frequencies </li></ul><ul><li>• Function </li></ul><ul><li>– Identify </li></ul><ul><li>– Provide information </li></ul><ul><li>– Instruct downstream </li></ul><ul><li> operations </li></ul><ul><li>Benefit </li></ul><ul><li>– Doesn’t require line of sight </li></ul><ul><li>– High speed multiple read capability </li></ul><ul><li>– Accurate </li></ul><ul><li>– Can be read in harsh environments </li></ul><ul><li>– Difficult to counterfeit </li></ul><ul><li>– Can carry large amounts of data </li></ul><ul><li>– Can be read and written </li></ul><ul><li>• price prohibitive for most consumer packs </li></ul><ul><li>primarily used for returnable systems </li></ul>
  21. 21. Wireless Security Operation <ul><li>WiSec – Wireless Security Operation Center </li></ul><ul><li>SWOON – Secure Wireless Overlay Observation Network </li></ul>
  22. 22. WiSec - Wireless Security Operation Center <ul><li>Architecture </li></ul>
  23. 23. Problem – Illegal APs / STAs <ul><li>An illegal AP or station may diminish or negate traditional wired security protection (e.g. firewall). </li></ul>
  24. 24. Problem – WEP / WPA-PSK <ul><li>WEP can be compromised in 3 minutes. </li></ul><ul><li>WPA-PSK (pre-shared key mode) is vulnerable to offline dictionary attack. </li></ul>
  25. 25. Problem – Deauthentication Flood <ul><li>An illegal station may flood AP with forged deauthentication or disassociation packets to disconnect legal stations from the AP. </li></ul>
  26. 26. Problem – Beacon Flood <ul><li>An illegal station generates thousands of counterfeit 802.11 beacons to make it hard for legal stations to find a legitimate AP. </li></ul>
  27. 27. WiSec System Components WiSec (Wireless Security Monitor) Network Topology Explorer Weak Key Analyzer Denial of Service Detector
  28. 28. Subsystem- Network Topology Explorer <ul><li>Objective : Detect illegal APs and Stations </li></ul>Network Topology Explorer AP Topology Explorer Station Topology Explorer
  29. 29. Subsystem - Weak Key Analyzer <ul><li>Objective : Recover the WEP and WPA-PSK key, and </li></ul><ul><li>analyze its strength of security. </li></ul>Weak Key Analyzer WEP Key Cracker WPA-PSK Key Cracker
  30. 30. Subsystem - Denial of Service Detector <ul><li>Objective : Detect “802.11 Beacon flood” or “Deauthentication flood” attacks. </li></ul>Denial of Service Detector 802.11 Beacon Flood Deauthentication Flood Disassociation Flood
  31. 31. WiSec – Wireless Security Operation Center
  32. 32. Power Controller Switch / Hub Switch (Control) User server Boss server Wireless Switch Network Public IP  Private IP  … … <ul><li>A-Node simulates APs </li></ul><ul><li>S-Node simulates STAs (station) </li></ul><ul><li>X-Node simulates 802.1x Authentication servers </li></ul><ul><li>NOTE : </li></ul><ul><li>Each AP has 4 BSSIDs, but only 1 antenna </li></ul><ul><li>Wireless Switch can be used to construct </li></ul><ul><li>the Wireless VLAN in this network </li></ul><ul><li>Each S-Node has one or more wireless NIC </li></ul><ul><li>they talk to one of the APs in A-Node </li></ul>Switch SWOON – Secure Wireless Overlay Observation Network A-Node 1 S-Node 1 A-Node 2 S-Node 2 X-Node 1 X-Node 2
  33. 33. Conclusions <ul><li>Security is critical in wireless multi-networks </li></ul><ul><li>Wireless Security Operation Center WiSec is the first step </li></ul><ul><li>Secure Wireless Overlay Observation Network SWOON will follow </li></ul>

×