1/27/02 Chapter 16 Wireless Networks


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

1/27/02 Chapter 16 Wireless Networks

  1. 1. <ul><li>Wireless Networks - Principle Characteristics </li></ul><ul><li>Provide network access without wires – to reduce cost of wiring, </li></ul><ul><li>support inherently mobile devices – palms, laptops, PDAs. </li></ul><ul><li>Use unconstrained media (e.g., radio) for transmission – no wires </li></ul><ul><li>Three major system classes </li></ul><ul><ul><li>Wide Area Networks (WAN) – world–wide (global) in extent </li></ul></ul><ul><ul><li>Local Area Networks (LAN) – campus-wide in extent </li></ul></ul><ul><ul><li>Personal Area Networks (PAN) – office-wide in extent </li></ul></ul><ul><li>Relatively new technologies –first developed in the mid-80s </li></ul><ul><li>Strongly support personal mobility – locally to globally </li></ul><ul><li>Many protocols, technologies, and implementations (new) </li></ul><ul><li>Standards relatively immature </li></ul><ul><li>Many security problems at all levels – theory, standards, </li></ul><ul><li>implementation </li></ul>
  2. 2. Wireless Threats Denial of Service – radio frequency jamming or message flooding Interception – eavesdrop since the signals are broadcast over the air Manipulation – changing messages Masquerading – posing as a legitimate user to enter a network Any wireless system should protect against these threats in the basic system design, implementation, and operational environment Some do well, others are in bad shape!
  3. 3. Wireless Networks - Fundamentals Network Destination Network Access Point Wire Transmission Path Radio Transmission Path Mobile Devices Cell Phone Palm Pilot Laptop
  4. 4. Wireless Wide Area Networks (WAN) WAN Wide Area Network (National/Global) Licensed, 800-900 Mhz, 1.8-1.9 Ghz <ul><li>Started with cellular phones (U.S.,1982) </li></ul><ul><ul><li>1G, 2G, 3G, 4G </li></ul></ul><ul><li>Protocols - many </li></ul><ul><ul><li>AMPS, TDMA, CDMA, GSM, CDPD, GPRS, UMT-2000,… </li></ul></ul><ul><li>Rapid Growth – “By 2002, wireless phones worldwide will outnumber TVs and PCs combined.” </li></ul><ul><ul><li>Strategic News Service </li></ul></ul>
  5. 5. <ul><li>Wireless Wide Area Networks (WAN) </li></ul><ul><li>Started with cell phones – many technologies & standards </li></ul><ul><li>Progressed through multiple generations </li></ul><ul><ul><li>Analog voice phones </li></ul></ul><ul><ul><li>Digital voice phones </li></ul></ul><ul><ul><li>Web-enabled phones </li></ul></ul><ul><li>Despite multiple generations, technology is still immature and </li></ul><ul><li>changing dynamically (e.g., web access from a cell phone) </li></ul><ul><li>Many providers – crowded market </li></ul><ul><li>Interoperability a mixed bag – some good, some bad </li></ul><ul><li>Some very differentiated products (voice-only, data only, mixed) </li></ul><ul><li>Don’t expect convergence anytime soon </li></ul>
  6. 6. Wireless Devices and Selected Characteristics Access Point Palm VII Blackberry Digital Phone CDPD Modem WAN Wireless Device na 500 500 125 500 Purchase Cost ($) From fees 240 400 360 480 Network Service ($/device-yr) Network Bandwidth (kbps) Key Features 6 6 19 19 carrier owned no Outllook, coverage Outlook, coverage voice, CDPD-WAP good coverage
  7. 7. Blackberry Handheld Devices – Single purpose device Wireless e-mail using Microsoft Exchange
  8. 8. A Specific Service - Blackberry Real-time messaging Outlook/ Exchange Servers Your Office Colleague's Office Internet 1 2 3 4 6 You Blackberry Network 5 1. Colleague sends urgent message to you 2. Sent to Exchange servers 3. Received at your desktop PC (if on) 4. Encrypted and sent through the internet 5. Transmitted by Blackberry network 6. Blackberry receives and decrypts message for you Firewall
  9. 9. Blackberry Architecture Blackberry Handheld Wireless Network Access Point Internet Firewall Exchange Server Blackberry Server User’s Desktop
  10. 10. <ul><li>Blackberry Architecture – How It Works </li></ul><ul><li>Mail arrives at the user’s desktop in the usual way </li></ul><ul><li>Blackberry software is installed on the user’s desktop and configured </li></ul><ul><li>according to user-specified filtering/forwarding rules </li></ul><ul><li>Messages to be forwarded are compressed and encrypted and forwarded to </li></ul><ul><li>the Blackberry enterprise server that maintains an outbound connection to </li></ul><ul><li>the Blackberry network (through the firewall and Internet) </li></ul><ul><li>Messages are forwarded and displayed on the Blackberry handheld </li></ul><ul><li>Similarly, messages can be originated on the handheld, sent back to the </li></ul><ul><li>user’s desktop and sent out over the mail connection. </li></ul><ul><li>Can operate in two modes </li></ul><ul><ul><li>Wireless LAN mode - as described above </li></ul></ul><ul><ul><li>Directly between two handheld devices (peer-to-peer) </li></ul></ul>
  11. 11. <ul><li>Blackberry Protection </li></ul><ul><li>Peer-to-peer mode is not secure (scrambled, but not encrypted) </li></ul><ul><li>Wireless network mode: </li></ul><ul><ul><li>Symmetric encryption with key shared between desktop & handheld </li></ul></ul><ul><ul><li>3 DES encryption method, key exchange while handheld is docked </li></ul></ul><ul><ul><li>Server is behind firewall, only supports outbound connections, followed </li></ul></ul><ul><ul><li>by out-bound/in-bound communications </li></ul></ul>Secured Path Unsecured Path Blackberry User’s Desktop Another User
  12. 12. WAN Wide Area Network (National/Global) LAN Local Area Network (Campus/Building) Unlicensed, 900 Mhz, 2.4 Ghz, 5 Ghz Local Area Network (LAN) <ul><li>IEEE Standards </li></ul><ul><ul><li>802.11, 1998 (2 Mbps) </li></ul></ul><ul><ul><li>802.11b, 1999 (11 Mbps) </li></ul></ul><ul><ul><li>802.11a, 1999 (54 Mbps) </li></ul></ul><ul><li>Interface Prices </li></ul><ul><ul><li>$500 – 1997 (2 Mbps) </li></ul></ul><ul><ul><li>$160 – 2000 (11 Mbps) </li></ul></ul><ul><li>Wireless Options Today </li></ul><ul><ul><li>Laptops - Apple, Dell, Gateway, IBM, Compaq, Acer… </li></ul></ul>Wireless Local Area Network (LAN)
  13. 13. You Wireless Access Point LAN Lab/Conference Room Your Office <ul><li>Work untethered </li></ul><ul><li>Improve productivity by saving time (use idle time, minimize meeting prep time) </li></ul><ul><li>Have real-time access for urgent messages and key information </li></ul>Wireless Local Area Network (LAN)
  14. 14. <ul><li>Local Area Networks (LAN) </li></ul><ul><li>Function – wireless equivalent to Ethernet Local Area Network </li></ul><ul><li>Based on IEEE standard 802.11 series </li></ul><ul><li>802.11 – 1997, data rates to 2 Mb/s (outdated) </li></ul><ul><li>802.11b - 1999, data rates to 11 Mb/s (available now) </li></ul><ul><li>802.11g - 2000, data rates to 22 Mb/s (available 2002) </li></ul><ul><li>802.11a - emerging, data rates to 54 Mb/s (available late 2001) </li></ul><ul><li>802.11b is dominant technology being implemented. </li></ul><ul><li>Part of the specification is the Wired Equivalent Protocol (WEP) </li></ul><ul><li>designed to protect link layer (over-the-air) traffic from </li></ul><ul><li>eavesdropping and other attacks (in the words of the IEEE </li></ul><ul><li>specification). </li></ul>
  15. 15. IEEE 802.11 Standard The standard describes the Medium Access Control (MAC) and Physical Layer (PHY) specifications. 802.11 is one part of the 802 Specification as shown below. 802.2 Logical Link Control 802.1 Bridging 802.3 Meduim Access 802.3 Physical 802.4 Meduim Access 802.4 Physical 802.5 Meduim Access 802.5 Physical 802.6 Meduim Access 802.6 Physical 802.9 Meduim Access 802.9 Physical 802.11 Meduim Access 802.11 Physical 802.12 Meduim Access 802.12 Physical Physical Layer Data Link Layer Ethernet Token Bus Token Ring Dual Bus Integrated Wireless Demand Services Priority
  16. 16. <ul><li>802.11 Wireless Local Area Network (LAN) </li></ul><ul><li>Three (3) possible physical layers are specified: </li></ul><ul><ul><li>Infared (short range – line of sight) </li></ul></ul><ul><ul><li>Frequency Hopping Spread spectrum (FHSS) </li></ul></ul><ul><ul><li>Direct Sequence Spread Spectrum (DSSS) </li></ul></ul><ul><li>Three frequency bands are used; 900 MHz, 2.4 GHz, and 5 GHz </li></ul><ul><li>802.11b uses DSSS and the 2.4 GHz frequency band </li></ul><ul><li>This frequency band is the unregulated Industrial, Scientific, and Medical </li></ul><ul><li>(ISM) band – possibility for interference. Range is a few 100 - 300 feet – </li></ul><ul><li>multiple access points provide campus coverage (like cell phones) </li></ul><ul><li>802.11b data rate is 11 Mb/s, but performance varies as a function of </li></ul><ul><li>distance between the mobile device and the nearest access point </li></ul><ul><li>The specified protocol is Carrier Sense Multiple Access with Collision </li></ul><ul><li>Avoidance (CSMA/CA) </li></ul>
  17. 17. Access Point Access Point Wired Network Wireless Application Servers Wireless Handheld (WinCE or Palm) R To additional Network Segments High Level Architecture
  18. 18. High Level Architecture – Text Mobile device (Personal Digital Assistant, laptop, Palm Pilot, etc.) requires a radio frequency transmitting/receiving modem and client software compatible with the IEEE standard. Access point is a bridge between the backside wired network and the frontside wireless network. It transmits and receives wireless protocol frames, does error control, authenticates and authorizes users, encrypts wireless traffic, interfaces to the wired network Access point Laptop modem
  19. 19. <ul><li>Wired Equivalent Privacy (WEP) – 802.11 security </li></ul><ul><li>According to the standard, particular attention was paid to: </li></ul><ul><li>Defeating an adversaries ability to eavesdrop on wireless transmissions in </li></ul><ul><li>order to preserve confidentiality by encrypting the channel traffic </li></ul><ul><li>Providing integrity assurance that a message has not been modified in </li></ul><ul><li>transit, and </li></ul><ul><li>Authenticating users over an encrypted channel </li></ul>
  20. 20. <ul><li>Eavesdropping – 802.11 security </li></ul><ul><li>Since transmissions are broadcast over the airwaves, signals can be </li></ul><ul><li>intercepted. Interception methods are different for each physical layer. </li></ul><ul><li>It has been argued that interception is difficult for infared because of line-of- </li></ul><ul><li>sight and short distance requirements, Frequency Hopping Spread Spectrum </li></ul><ul><li>and Direct Sequence Spread Spectrum because of the psuedo-random </li></ul><ul><li>nature of the signal spreading. </li></ul><ul><li>Reality is that any device designed to receive/transmit 802.11 signals is </li></ul><ul><li>capable of intercepting all signals from a wireless network. </li></ul><ul><li>It is a simple matter to modify devices drivers and/or flash memory to operate </li></ul><ul><li>the device in promiscuous mode. Basic assumption – adversaries have access </li></ul><ul><li>to all signals transmitted between access points and mobile devices! </li></ul>
  21. 21. <ul><li>Eavesdropping Encrypted 802.11 Transmissions </li></ul><ul><li>Eavesdropping is defeated if the signals are not intelligible – 802.11 encrypts </li></ul><ul><li>transmissions using RC4 developed in 1987 by Ron Rivest at MIT and is </li></ul><ul><li>Considered a secure cipher. Reviewing: </li></ul><ul><li>The RC4 algorithm was kept secret for the first 7 years, but was anonymously </li></ul><ul><li>posted to the Cypherpunks mailing list in 1994 and became public knowledge. </li></ul><ul><li>RC4 is a symmetric cipher and can use several different key lengths. The </li></ul><ul><li>802.11 specification allows for 40 bit (export controlled) and longer, typically </li></ul><ul><li>128 bit lengths although specific lengths and implementations can vary by </li></ul><ul><li>vendor. </li></ul><ul><li>RC4 is generally considered a strong cipher. The 802.11 implementation </li></ul><ul><li>operates in Output Feedback (OFB) mode. </li></ul>
  22. 22. RC4 – Operated in Output Feedback mode E E -1 Plaintext p j Plaintext p j Ciphertext c j IV Key  I j Key  I j O j O j Leftmost r bits Leftmost r bits O j-1 O j-1
  23. 23. RC4 – Text description The RC4 algorithm has three (3) inputs: a random initialing vector IV, the random secret key k, and the plaintext P The IV is input to E, the RC4 encryption algorithm along with the key and E produces a random keystream that is sent to the output box O. The output box shifts the keystream out a Byte at a time and each Byte is combined with a Byte of plaintext under the Exclusive OR function. The output of E (the keystream) is also fed back to the I stage which causes The keystream to vary as a function of IV and the plaintext. The process is reversed at the receiver. Both the IV value and the key must be known to the receiver.
  24. 24. RC4 – more The secret key is initially distributed to the access point and the mobile device. The method is not specified by the IEEE 802.11 standard, but should be secret. The IV which changes for each session, is sent in the clear as part of the initial handshake. The IV does not have to be secret since the strength of the algorithm is derived from the algorithm and key, not IV. However, the integrity of the IV must be a maintained between the transmitter and receiver or the encrytpion/decryption breaks - won’t work. Also, the IV should not be re-used with the same key schedule. Consider 2 messages: C 1 = P 1  RC4(IV 1 , K 1 ) & C 2 = P 2  RC4(IV 1 , K 1 ) C 1  C 2 = (P 1  RC4(IV 1 , K 1 ))  (P 2  RC4(IV 1 , K 1 )) That is, the EXOR of 2 ciphertexts will produce the EXOR of the two plaintexts. If one of the plaintexts is known, the second are revealed.
  25. 25. <ul><li>Authentication in 802.11 </li></ul><ul><li>Two basic levels of authentication </li></ul><ul><li>Open System Authentication – the default that authenticates </li></ul><ul><li>any device requesting authentication – essentially “none” </li></ul><ul><li>Shared-Key Authentication – The mobile device and the access point </li></ul><ul><li>mutually authenticate to each other. Three state process: </li></ul><ul><li>Unauthenticated & unassociated </li></ul><ul><li>Authenticated and unassociated </li></ul><ul><li>Authenticated and associated </li></ul><ul><li>Involves passing messages between a mobile station and an access point. </li></ul>
  26. 26. Authentication Messages Initiator (STA) Responder (AP) Authentication Request – Sequence # 1 Authentication Challenge – Sequence # 2 Authentication Response – Sequence # 3 Authentication Result – Sequence # 4 Challenge is a psuedo-random number, must be re-played by the initiator. If successful, the process is repeated in reverse (i.e., mutual authentication)
  27. 27. Integrity Assurance – No change in transit An integrity checksum is computed for each message exchanged between a station and an access point. If the checksum computed over the packet does not match the appended Checksum, the packet is discarded and re-transmission requested. All of this sounds reasonable on the surface. Certainly the goals of authentication, integrity, and confidentiality are the appropriate one for protecting the information. So…how does the standard and its implementation stack up? TERRIBLE!!!!!!!!!!!
  28. 28. The Problems – High level The authentication exchange reveals the secret key. It is trivial to mount a known plaintext attack on the network to recover keys Integrity is not cryptographically assured – messages can be modified without being readily detected. Finally, many wireless networks are being operated using open authentication without authentication or encryption. They are optional parts of the standard, not mandatory. Only the weak checksum is mandatory. So….How do we break such a network?
  29. 29. <ul><li>Authentication Breaks </li></ul><ul><li>We discussed the 4 message exchange earlier. The break works like this: </li></ul><ul><li>The first frame is sent in the clear to request authentication – thats Ok. </li></ul><ul><li>The challenge response is returned by the AP – the challenge is not </li></ul><ul><li>encrypted. The challenge is generated by combining a random number, </li></ul><ul><li>an IV, and the shared key and is sent in the clear. </li></ul><ul><li>The responding station, extracts the challenge, puts it into a response </li></ul><ul><li>frame, encrypts it with the shared key using a new IV (sent in the clear) </li></ul><ul><li>and sends it back. </li></ul><ul><li>The AP decrypts, checks integrity checksum and compares the challenge </li></ul><ul><li>to the original – if successful, authentication of the station is successful. </li></ul><ul><li>An adversary need only capture the clear text challenge and the ciphertext </li></ul><ul><li>challenge response. Knowing the IV, the attacker can derive the keystream. </li></ul><ul><li>The adversary can now create a valid response to a new challenge and join </li></ul><ul><li>the network. </li></ul>
  30. 30. <ul><li>Encryption Breaks </li></ul><ul><li>One of the issues with Output FeedBack (OFB) mode stream encryption is that </li></ul><ul><li>encrypting two messages under the same IV and key can reveal information </li></ul><ul><li>about both. </li></ul><ul><li>The IV is transmitted in the clear, so it is available. If the IV is a good random </li></ul><ul><li>number and not re-used, it is protected. Trouble is the IV: </li></ul><ul><li>Is often initialized to 0 in some implementations (no standard requirement) </li></ul><ul><li>It is only 24 bits long. If initialized to 0, then it wraps around mod 24. </li></ul><ul><li>Doing the math 2 24 x 2346 B/packet = ~40GB (~320 Gb). </li></ul><ul><li>The network has a capacity to do about 432 Gb per day </li></ul><ul><li>The adversary can send a message to the network (known plaintext) and sniff </li></ul><ul><li>the ciphertext since the network will encrypt it for him (her). </li></ul>
  31. 31. Encryption Breaks - contd Then the adversary sniff the network for another instance of the same IV used for the known plaintext message and recovers that ciphertext. Now the adversary has a known plaintext/ciphertext pair encrypted with the same secret key and can recover the key. Since the keys are shared and typically manually distributed, they don’t change very often. That in itself is a problem – multiple users with the same key and difficulty in manually distributing keys tend to influence long time key use
  32. 32. <ul><li>Encryption Breaks - Recap </li></ul><ul><li>Send a plaintext message to a user on the wireless network and sniff the </li></ul><ul><li>network for the message. Moderate difficulty, trivial with insider help. </li></ul><ul><li>2. Capture the IV (sent in the clear) and ciphertext. </li></ul><ul><li>3. Sniff the network for another instance of the same IV with the original </li></ul><ul><li>message. Not difficult, but may require significant storage space. </li></ul><ul><li>4. On a hit, the adversary has: </li></ul><ul><li>Original plaintext/ciphertext pair encrypted with the secret key. </li></ul><ul><li>IV and new ciphertext encrypted with the same key. </li></ul><ul><li>C 1 = P 1  RC4(IV 1 , K 1 ) & C 2 = P 2  RC4(IV 1 , K 1 ) </li></ul><ul><li>C 1  C 2 = (P 1  RC4(IV 1 , K 1 ))  (P 2  RC4(IV 1 , K 1 )) </li></ul><ul><li>C 1 , C 2 , P 1 , and certainty that the same IV & key were used. </li></ul><ul><li>Then C 1  C 2  P 1 = P 2 </li></ul>
  33. 33. Encryption Breaks - Recap Test: Does C 1  C 2  P 1 = P 2 ? Assume P 1 = 0010, P 2 = 0100; Keystream for IV, K = 1100 C 1 = 0010  1100 = 1110 C 2 = 0100  1100 = 1000 C 1  C 2  P 1 = 1110  1000  0010 = 0100 --- QED
  34. 34. Integrity Assurance The standard uses the following format: Message CRC-32  Keystream = Ciphertext IV Transmitted Data Stream
  35. 35. 802.11 Frame Formats Frame Control Duration Dest. Address Source Address BSSID Seq. No. Frame Body FCS Frame Control: Version #; Frame type (control,data, management); sub-type; and numerous flags Duration: Destination Address: Source Address: BSSID: Sequence Number: Frame Body: FCS: Octets: 2 2 6 6 6 2 0 – 2312 4
  36. 36. Improving Wireless Security – IEEE 802.1x In 802.11 users authenticate to access points and this is subject to the flaws we have already discussed. IEEE 802.1x describes an authentication method that is much stronger. Even better, it applies to wired networks as well as wireless networks. The authentication method is called Extensible Authentication Protocol (EAP) Over LANs (EAP-OL). It is an extension of EAP that was originally defined for dial-up authentication Using the Point-to-Point Protocol PPP (see RFC 2284). It is also know as port authentication.
  37. 37. Wired & Wireless Access Authentication Consider the following wired and wireless network connections: HUB Port Wireless Access Point (WAP) Port Wireless Link Wired Link Hub: Ethernet hub (or switch) with wired connections to desktop machines. WAP: Wireless Access Point with wireless connections to wireless-equipped Devices (e.g., laptops, PDAS, etc.). Authentication:Provided by the port device or by a service called by the port device.
  38. 38. Wired & Wireless Authentication In an Ethernet wired network and a Windows environment, a system enters the network at bootup, by sending a request to the local network segment domain controller (found in the system configuration files). The domain controller prompts the system for authentication credentials (e.g., a username password pair). On success, the system is authenticated. In an 802.1 wireless network, the system associates with an access point and The access point authenticates the wireless system and allows/denies entry. As we have seen, the wireless method is easily defeated. IEEE 802.1x provides a method to call a stronger authenticator and will work with either a wired or wireless network.
  39. 39. IEEE 802.1X Authentication 1 2 3 4 Step 1: Using EAP, the user requests authentication. The Hub or AP forwards the request to the AS. Step 2: The AS issues a request for an authenticator (password, token, etc.). Step 3: The user presents the authenticator. Step 4: The AS authenticates or denies the access request and send the result back to the AP and the user. If authentication succeeds, the AP opens a port for the user. All traffic is encrypted. Session keys are created by the AS and used by the user and AP. User Hub or Access Point (AP) Authentication Server (AS)
  40. 40. IEEE 802.1X Authentication The Authentication Server is specified in the standard as a RADIUS server. RADIUS = Remote Authentication Dial-In User Service RADIUS is the subject of two RFCs, 2138 and 2865. RFC 2865 is the current RFC and it describes the operations and protocols supported by a RADIUS server.