Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Wireless Security - Attacks and Countermeasures Shiuhpyng Shieh Director, Taiwan Information Security Center (TWISC@NCTU) ...
Contents   <ul><li>Wireless Security & Threats  </li></ul><ul><li>Security Challenges and Issues </li></ul><ul><li>Wireles...
Sponsorship of Taiwan Information Security Center <ul><li>Sponsored by National Science Council and other institutes (Tele...
Collaboration
NCTU-Cisco Internet Technology Lab <ul><li>NCTU-Cisco Partnership </li></ul><ul><li>Research and develop software tools an...
Lab Facility in CIT
Research Topics at TWISC <ul><li>Security across Wireless Multi-Networks </li></ul><ul><ul><li>WLAN </li></ul></ul><ul><ul...
Wireless Security  & Threats –  Bringing You a Secure Wireless World <ul><li>When Reliability, Security, and Wireless  </l...
Introduction to Wireless Access <ul><li>Wireless </li></ul><ul><ul><li>Convenient </li></ul></ul><ul><ul><li>Mobility </li...
Wireless Security Challenges <ul><li>Wireless security challenges: </li></ul><ul><ul><li>Physical media can easily be snif...
WLAN Security Threats <ul><li>Passive Attacks </li></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Traffic analy...
Security Issues of Wireless Networks <ul><li>Security is major issue </li></ul><ul><ul><li>Protection of Mobile Devices </...
Wireless Security Mechanisms <ul><li>Mobile device protection </li></ul><ul><li>Software/program security </li></ul><ul><l...
Wi-Fi (Wireless LAN)
Wireless Characteristics - open system <ul><li>allows  anyone  to begin a conversation with the access point, and provides...
WLAN  Security Mechanism <ul><li>WEP (Wired Equivalent Privacy) </li></ul><ul><li>802.11i </li></ul><ul><ul><li>WPA = 802....
WiMAX PKM Protocol SS BS 1. Authenticate SS 2. Generate AK, encrypt with public key decrypt with AK 1. Verify  HMAC-Digest...
GSM Network Architecture <ul><ul><li>   </li></ul></ul>MS: Mobile Station BTS: Base Transceiver Station BSC: Base Station ...
3G Network Architecture Circuit/ Signaling Gateway 2G/2.5G 2G IN Services Call Agent Feature Server(s) RNC 3G Data + Packe...
The technologies -  RFID <ul><li>Provides a means of retrieving information stored on a tag using radio frequencies </li><...
Wireless Security Operation <ul><li>WiSec –  Wireless Security Operation Center  </li></ul><ul><li>SWOON –  Secure Wireles...
WiSec - Wireless Security Operation Center <ul><li>Architecture </li></ul>
Problem – Illegal APs / STAs  <ul><li>An illegal AP or station may diminish or negate traditional wired security protectio...
Problem – WEP / WPA-PSK <ul><li>WEP can be compromised in 3 minutes. </li></ul><ul><li>WPA-PSK (pre-shared key mode) is vu...
Problem –  Deauthentication Flood <ul><li>An illegal station may flood AP with forged deauthentication or disassociation p...
Problem – Beacon Flood <ul><li>An illegal station generates thousands of counterfeit 802.11 beacons to make it hard for le...
WiSec System Components WiSec (Wireless Security  Monitor) Network Topology Explorer Weak Key Analyzer Denial of  Service ...
Subsystem-  Network Topology Explorer <ul><li>Objective : Detect illegal APs and Stations </li></ul>Network Topology Explo...
Subsystem -  Weak Key Analyzer <ul><li>Objective : Recover the WEP and WPA-PSK key, and  </li></ul><ul><li>analyze its str...
Subsystem  -  Denial of  Service Detector <ul><li>Objective :  Detect “802.11 Beacon flood” or “Deauthentication flood” at...
WiSec – Wireless Security Operation Center
Power Controller   Switch / Hub Switch (Control) User  server Boss  server Wireless Switch Network Public IP   Private IP...
Conclusions <ul><li>Security is critical in wireless multi-networks </li></ul><ul><li>Wireless Security Operation Center W...
Upcoming SlideShare
Loading in …5
×

謝續平

863 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

謝續平

  1. 1. Wireless Security - Attacks and Countermeasures Shiuhpyng Shieh Director, Taiwan Information Security Center (TWISC@NCTU) Director, NCTU-Cisco Internet Technology Lab Prof., CS Dept., Nat’l Chiao Tung Univ.
  2. 2. Contents <ul><li>Wireless Security & Threats </li></ul><ul><li>Security Challenges and Issues </li></ul><ul><li>Wireless Security over Multi-Networks </li></ul><ul><li>WiSec - Wireless Security Operation Center </li></ul><ul><li>SWOON - Secure Wireless Overlay Observation Network (joint with UC Berkeley) </li></ul><ul><li>Conclusions </li></ul>
  3. 3. Sponsorship of Taiwan Information Security Center <ul><li>Sponsored by National Science Council and other institutes (Telecommunication Technology Center of Taiwan, ITRI, DoD of Taiwan) </li></ul><ul><li>Fifteen professors from six universities involved. </li></ul>
  4. 4. Collaboration
  5. 5. NCTU-Cisco Internet Technology Lab <ul><li>NCTU-Cisco Partnership </li></ul><ul><li>Research and develop software tools and infrastructure for assuring the security of network software </li></ul>
  6. 6. Lab Facility in CIT
  7. 7. Research Topics at TWISC <ul><li>Security across Wireless Multi-Networks </li></ul><ul><ul><li>WLAN </li></ul></ul><ul><ul><ul><li>Wireless Security Protocols: WEP, WPA </li></ul></ul></ul><ul><ul><ul><li>Software Security </li></ul></ul></ul><ul><ul><ul><li>Light-Weight Cryptosystems </li></ul></ul></ul><ul><ul><ul><li>Intrusion Detection/Prevention </li></ul></ul></ul><ul><ul><li>Ad Hoc Networks </li></ul></ul><ul><ul><ul><li>Secure Routing </li></ul></ul></ul><ul><ul><ul><li>DDoS attacks: source end, victim end, intermediate nodes </li></ul></ul></ul><ul><ul><ul><li>IP Traceback: packet logging, packet marking </li></ul></ul></ul><ul><ul><li>Wireless Sensor Networks </li></ul></ul><ul><ul><ul><li>Limited hardware, memory and energy resources </li></ul></ul></ul><ul><ul><ul><li>More vulnerable </li></ul></ul></ul><ul><ul><ul><li>Data aggregation </li></ul></ul></ul><ul><ul><li>Others </li></ul></ul><ul><ul><ul><li>Wi-Max </li></ul></ul></ul><ul><ul><ul><li>PCS: GSM, 3G, … </li></ul></ul></ul><ul><li>Prototype Systems </li></ul><ul><ul><li>WiSec - Wireless Security Operation Center </li></ul></ul><ul><ul><li>SWOON - Secure Wireless Overlay Observation Network </li></ul></ul>
  8. 8. Wireless Security & Threats – Bringing You a Secure Wireless World <ul><li>When Reliability, Security, and Wireless </li></ul><ul><li>Meet! </li></ul><ul><li>Heterogeneous Multi-Networks </li></ul>
  9. 9. Introduction to Wireless Access <ul><li>Wireless </li></ul><ul><ul><li>Convenient </li></ul></ul><ul><ul><li>Mobility </li></ul></ul><ul><ul><li>Usually limited computation power </li></ul></ul><ul><li>However </li></ul><ul><ul><li>Air media - easy to listen </li></ul></ul><ul><ul><li>Mobile device – lack of protection </li></ul></ul>
  10. 10. Wireless Security Challenges <ul><li>Wireless security challenges: </li></ul><ul><ul><li>Physical media can easily be sniffed. </li></ul></ul><ul><ul><li>Mobile computing needs to preserve battery power. </li></ul></ul><ul><ul><li>Calculation costs more on a mobile platform. </li></ul></ul><ul><li>War-driving: drive around Bay area, see what 802.11 networks available? </li></ul><ul><ul><li>Most AP are accessible from public roadways </li></ul></ul><ul><ul><li>85% use no encryption/authentication </li></ul></ul><ul><ul><li>packet-sniffing and various attacks easy! </li></ul></ul><ul><ul><li>Various attack tools – AirSnort(airsnort.shmoo.com), NetStumbler(http://www.hacker.org.tw/) </li></ul></ul><ul><ul><li>Moveable hardware </li></ul></ul>
  11. 11. WLAN Security Threats <ul><li>Passive Attacks </li></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Traffic analysis (cryptanalysis) </li></ul></ul><ul><li>Active Attacks </li></ul><ul><ul><li>Masquerade </li></ul></ul><ul><ul><li>Replay </li></ul></ul><ul><ul><li>Message modification </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><li>Hop Spot Attacks </li></ul>
  12. 12. Security Issues of Wireless Networks <ul><li>Security is major issue </li></ul><ul><ul><li>Protection of Mobile Devices </li></ul></ul><ul><ul><li>Software Security – program vulnerabilities </li></ul></ul><ul><ul><li>Security Protocols - authentication </li></ul></ul><ul><li>Different architecture has different security vulnerabilities </li></ul><ul><li>We will introduce architecture and security vulnerabilities separately </li></ul>
  13. 13. Wireless Security Mechanisms <ul><li>Mobile device protection </li></ul><ul><li>Software/program security </li></ul><ul><li>Security protocols </li></ul><ul><ul><li>GSM </li></ul></ul><ul><ul><li>3G </li></ul></ul><ul><ul><li>Wi-Fi (Wireless LAN) </li></ul></ul><ul><ul><ul><li>WEP </li></ul></ul></ul><ul><ul><ul><li>WPA </li></ul></ul></ul><ul><ul><ul><ul><li>IEEE 802.1x </li></ul></ul></ul></ul><ul><ul><li>Wi-Max </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>RFID </li></ul></ul><ul><ul><li>Wireless Sensor Networks </li></ul></ul>
  14. 14. Wi-Fi (Wireless LAN)
  15. 15. Wireless Characteristics - open system <ul><li>allows anyone to begin a conversation with the access point, and provides no security whatsoever to the client who can talk to the AP </li></ul>Associate request Associate response Client Access Point (AP)
  16. 16. WLAN Security Mechanism <ul><li>WEP (Wired Equivalent Privacy) </li></ul><ul><li>802.11i </li></ul><ul><ul><li>WPA = 802.1x +EAP +TKIP +MIC </li></ul></ul>
  17. 17. WiMAX PKM Protocol SS BS 1. Authenticate SS 2. Generate AK, encrypt with public key decrypt with AK 1. Verify HMAC-Digest with SHA 2.Generate TEK 3. Using AK to generate KEK, then generate TEK 1. Verify HMAC-Digest with SHA 2. Using AK to generate KEK, then generate TEK authentication information X.509 certificate authorization request X.509 certificate, capability, Basic CID authorization reply encrypted AK, SAIDs, SQN AK ,… AK exchange key request SAID, HMAC-Digest,… key reply encrypted TEK, CBC IV, HMAC-Digest,… Data encrypted by TEK TEK exchange
  18. 18. GSM Network Architecture <ul><ul><li>  </li></ul></ul>MS: Mobile Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center OMS: Operation and Maintenance System VLR: Visited Location Register HLR: Home Location Register AUC: Authentication Center EIR: Equipment Identify Register                                  Voice Traffic BSC MS PSTN/ISDN BTS EIR AUC HLR VLR MSC OMS Um A-bis Mobility mgt A
  19. 19. 3G Network Architecture Circuit/ Signaling Gateway 2G/2.5G 2G IN Services Call Agent Feature Server(s) RNC 3G Data + Packet Voice Circuit Switch Circuit Network Packet Network (Internet) Packet Gateway Radio Access Control Voice Mobility Manager IP Core Network RAN: Radio Access Network RNC: Radio Network Controller IP RAN Circuit switch Packet switch
  20. 20. The technologies - RFID <ul><li>Provides a means of retrieving information stored on a tag using radio frequencies </li></ul><ul><li>• Function </li></ul><ul><li>– Identify </li></ul><ul><li>– Provide information </li></ul><ul><li>– Instruct downstream </li></ul><ul><li> operations </li></ul><ul><li>Benefit </li></ul><ul><li>– Doesn’t require line of sight </li></ul><ul><li>– High speed multiple read capability </li></ul><ul><li>– Accurate </li></ul><ul><li>– Can be read in harsh environments </li></ul><ul><li>– Difficult to counterfeit </li></ul><ul><li>– Can carry large amounts of data </li></ul><ul><li>– Can be read and written </li></ul><ul><li>• price prohibitive for most consumer packs </li></ul><ul><li>primarily used for returnable systems </li></ul>
  21. 21. Wireless Security Operation <ul><li>WiSec – Wireless Security Operation Center </li></ul><ul><li>SWOON – Secure Wireless Overlay Observation Network </li></ul>
  22. 22. WiSec - Wireless Security Operation Center <ul><li>Architecture </li></ul>
  23. 23. Problem – Illegal APs / STAs <ul><li>An illegal AP or station may diminish or negate traditional wired security protection (e.g. firewall). </li></ul>
  24. 24. Problem – WEP / WPA-PSK <ul><li>WEP can be compromised in 3 minutes. </li></ul><ul><li>WPA-PSK (pre-shared key mode) is vulnerable to offline dictionary attack. </li></ul>
  25. 25. Problem – Deauthentication Flood <ul><li>An illegal station may flood AP with forged deauthentication or disassociation packets to disconnect legal stations from the AP. </li></ul>
  26. 26. Problem – Beacon Flood <ul><li>An illegal station generates thousands of counterfeit 802.11 beacons to make it hard for legal stations to find a legitimate AP. </li></ul>
  27. 27. WiSec System Components WiSec (Wireless Security Monitor) Network Topology Explorer Weak Key Analyzer Denial of Service Detector
  28. 28. Subsystem- Network Topology Explorer <ul><li>Objective : Detect illegal APs and Stations </li></ul>Network Topology Explorer AP Topology Explorer Station Topology Explorer
  29. 29. Subsystem - Weak Key Analyzer <ul><li>Objective : Recover the WEP and WPA-PSK key, and </li></ul><ul><li>analyze its strength of security. </li></ul>Weak Key Analyzer WEP Key Cracker WPA-PSK Key Cracker
  30. 30. Subsystem - Denial of Service Detector <ul><li>Objective : Detect “802.11 Beacon flood” or “Deauthentication flood” attacks. </li></ul>Denial of Service Detector 802.11 Beacon Flood Deauthentication Flood Disassociation Flood
  31. 31. WiSec – Wireless Security Operation Center
  32. 32. Power Controller Switch / Hub Switch (Control) User server Boss server Wireless Switch Network Public IP  Private IP  … … <ul><li>A-Node simulates APs </li></ul><ul><li>S-Node simulates STAs (station) </li></ul><ul><li>X-Node simulates 802.1x Authentication servers </li></ul><ul><li>NOTE : </li></ul><ul><li>Each AP has 4 BSSIDs, but only 1 antenna </li></ul><ul><li>Wireless Switch can be used to construct </li></ul><ul><li>the Wireless VLAN in this network </li></ul><ul><li>Each S-Node has one or more wireless NIC </li></ul><ul><li>they talk to one of the APs in A-Node </li></ul>Switch SWOON – Secure Wireless Overlay Observation Network A-Node 1 S-Node 1 A-Node 2 S-Node 2 X-Node 1 X-Node 2
  33. 33. Conclusions <ul><li>Security is critical in wireless multi-networks </li></ul><ul><li>Wireless Security Operation Center WiSec is the first step </li></ul><ul><li>Secure Wireless Overlay Observation Network SWOON will follow </li></ul>

×