10. Approaches to Mobile and Wireless Security Basic approaches Wireless LAN security Wireless LAN security standards Threats and solutions This lecture

10. Approaches to Mobile andWireless Security

Basic approachesWireless LAN security

Wireless LAN security standardsThreats and solutions

This lecture note is partly based on Martin G. Nystrom(Cisco Systems, Inc)’spresentation on wireless security on March 2005.http://xianshield.org/presos/Wireless Security Primer.ppt

Mobile Computing and Applications, Fall 2009

Basic Approaches

Fall 2009 Mobile Computing & Apps (Shin) 3

Security Primer Traditional security issues

– authentication– data integrity– confidentiality– authorization– nonrepudiation– availability

Threats to security– leakage– tampering– resource stealing– vandalism


Security Primer

Methods of attack– eavesdropping– masquerading– message tampering– replay– denial of service

Basic approaches– cryptography and public key infrastructure– authentication: data certificates, digital signatures, etc.– access control


Security Primer

System and data security– system access

• authentication : verify user and service identity• authorization/accountability : control access to services• service availability: prevent unauthorized service degradation• resource protection: prevent accidental or intentional misuse

– information access• user privacy: restrict disclosure of user identity and location• data integrity: detect alteration, forgery and replay• data privacy: ensure confidentiality despite snooping• data authentication: certify the origin of data


Security Primer

Leading protocols– Secure Sockets Layer (SSL)– Transport Layer Security (TLS)– Wireless Transport Layer Security (WTLS)– IP Security (IPSec)

Other security measures– firewalls– Virtual Private Networks (VPNs)– two-factor authentication– biometrics– security policy


Security Primer

Cryptography– transformation of messages

• plain text → cipher text

– transformation method• defined by function and key• function

– defines an encryption algorithm– combines a key and data so that resulting data may be

altered as much as possible

• distribution and storage of keys: important– key distribution service


Security Primer

Data encryption– Secret key (or private key) algorithms

• sender and receiver share a single key• computationally efficient, but initial key agreement is an issue• popular example is DES(Data Encryption Standard) which use

s the 56-bit key– currently, can be deciphered in 3.5 hours with an inexpensive (<

$500,000) computer

– NIST has improved DES: AES (Advanced Encryption Standard) allows 128-, 192-, and 256-bit keys

encryption decryptionplaintext ciphertext

plaintext

original

key


Security Primer

– Public key algorithms• each user has a private key and public key

– a user keeps private key for decryption and makes public key for encryption, vice versa

– sender encrypts with public key while receiver decrypts with private key

• computationally impractical to derive private from public– one-way function: y=f(x), hard to determine x from known value of

y

• popular example is RSA and PGP

encryption decryptionplaintext ciphertext

plaintext

original

key public key private


Traditional Security Issues - Revisited Integrity

– system integrity• if the system performs its intended function in an unimpaired manner, i

n the presence of deliberate or inadvertent attack

– data integrity• if the receiver can verify that the data received is exactly the same as t

he data transmitted by the sender

Confidentiality– if only intended recipient(s) can read the data

Nonrepudiation– if the sender can not falsely deny (i.e., repudiate) sending the data

Availability– if a third party with no access rights can not block legitimate partie

s from using a resource– e.g., denial of service (DoS) attack


Mobile and Wireless Security Issues

Detectability– mobile terminals need to remain undetected– also, the receiver may need to locate a sender

Resource depletion/exhaustion– attacks lead to shortening the lifespan or wasting all the

power of the battery

Physical intercept problems– any receiver can intercept the signal in the air

Theft of service– access points may be available to any mobile users


Problems in Ad Hoc Networks

Problems in ad hoc networks– multi-hop connection intermediate nodes – data passes through several other ad hoc networks– man-in-the-middle attack to copy or corrupt data in

transit

Routing– spoofing

• one node impersonates another

– ARP cache poisoning• causes all traffic to pass through a malicious node that permits

“man-in-the-middle” attacks• the malicious node sees all traffic

– key routing nodes• may be disabled via a resource-exhaustion attack



Key management– issues

• encryption• authentication• creating, sharing, storing, encryption keys

– public key encryption– private key encryption

• prekeying requires key-exchange protocol to change a private key not practical for mobile hosts



Reconfiguring– dynamic, by nature – topology changes over time– old routes may no longer work

Hostile environment– unsecured physical locations such as coffee

shops, airports, etc.– in the context of ad hoc networks of soldiers,

for example, even signal detection could cause them to be captured or worse


Additional Issues: Commerce

Liability– responsible for secure management of company-owned

computers and sensitive information– may be exposed or used as springboards to attack

other Internet computers

Fear, uncertainty, and doubt– companies fear that security attacks may hamper their

reputation

Fraud– typically purchases billed with stolen or faked credit

card [numbers]

Big bucks at stake


Additional Types of Attacks

“Man in the middle” attacks– a malicious node inserts itself in the path between two

nodes, like in the case of eavesdropping

Traffic analysis– attacker can gain insight by analyzing the traffic in

terms of message size, traffic volume, sender-receiver, etc

Replay attacks– reusing data in a packet observed by a malicious node

Buffer-overflow attacks– Extra data may cause the program to execute different

code by changing variables values, program flow, or similar

Wireless LAN Security


Wireless Security – An Overview

WPA2

WPA

WEP

802.11i

802.1X(EAPoL)

RSNAES-basedCCMP

TKIP MIC

RC4

WRAP

uses

uses

uses

comprises

is replacing

implements

uses

uses

uses

addedRADIUS

uses

WiFiAlliance

IEEE

WEP: Wired Equivalent PrivacyWPA: Wi-fi Protected AccessEAPoL: Extensible Authentication Protocol over LANRSN: Robust Security NetworkAES: Advanced Encryption StandardCCMP: Counter Mode with Cipher Block Chaining Message Authentication Code ProtocolWRAP: Wireless Robust Authenticated ProtocolRADIUS: Remote Authentication Dial-In User Service RC4: Rivest’s Cipher 4 stream cipherTKIP: Temporal Key Integrity ProtocolMIC: Message Integrity Check

is a subset of


802.11 Standards 802.11a – 54 Mbps@5 Ghz

– Not interoperable with 802.11b– Limited distance– Dual-mode APs require 2 chipsets, look like two APs to

clients

802.11b – 11 [email protected] Ghz– Full speed up to 300 feet– Coverage up to 1750 feet

802.11g – 54 [email protected] Ghz– Same range as 802.11b– Backward-compatible with 802.11b– Speeds slower in dual-mode


802.11 Standards

802.11e – QoS– Dubbed “Wireless MultiMedia (WMM)” by WiFi Alliance

802.11i – Security– Adds AES encryption– Requires high-performance CPU, new chips required– TKIP(Temporal Key Integrity Protocol) is interim solution

802.11n – 100Mbps+ (in progress) Wi-Fi Protected Access (WPA)

– Subset of 802.11i, forward-compatible with 802.11i (WPA2)– Encryption: Version one uses TKIP– Authentication: 802.1x & EAP – allows auth via RADIUS; also allo

ws auth via PSK• EAP: Extensible Authentication Protocol• RADIUS: Remote Authentication Dial-In User Service• PSK: Pre-Shared Key


802.11i – Wireless security FIPS-140 compliant AES replaces RC4 with TKIP Dubbed “WPA2” by WiFi Alliance Robust Security Network (RSN) for establishing secure co

mmunications – Uses 802.1x for authentication– Replaces TKIP

‘Counter with CBC(Cipher Block Chaining)-MAC’ Mode (CCMP) for encryption– CCM mode of AES– 128-bit keys, 48-bit IV (Initialization Vector)– CBC-MAC provides data integrity/authentication– CCMP mandatory with RSN– WRAP(Wireless Robust Authenticated Protocol) was initial selectio

n, licensing rights/problems got in the way replaced by CCMP

Federal Information Processing Standard 140 (FIPS)series of publications numbered 140 which are a U.S. government computer security standards that specify requirements for cryptography modules


802.11 Security Approaches Requirements

– Shared media – like a network hub• Requires data privacy - encryption

– Authentication necessary• Can access network without physical presence in building• Once you connect to wireless, you are an “insider” on the netw

ork

Security approaches– Closed network

• SSID(Service Set ID) can be captured with passive monitoring– MAC filtering

• MACs can be sniffed/spoofed– WEP

• Can be cracked online/offline given enough traffic & time

to be continued


802.11 Security Approaches

Security approaches (cont.)– Change keys frequently

• Traffic can still be decrypted offline

– Place APs on DMZ• Requires VPN access to get back into network

– Use VPN• Doesn’t handle roaming

– Authentication portal• Example: Nocat (configurable restrictions to bandwidth and por

ts based on whether the user is trusted or not) • More stuff to configure

– WPA and/or EAP


802.11 Authentication Authentication methods

– Open systems authentication– Shared key authentication– EAP / 802.1x

Open system authentication – Required by 802.11– Just requires SSID from client– Only identification required is MAC address of

client– WEP key not verified, but device will drop

packets it can’t decrypt


802.11 Authentication

Shared key authentication– Utilizes challenge/response

• challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

– Requires & matches key– Steps

• Client requests association to AP• AP issues challenge to client• Client responds with challenge encrypted by WEP key• AP decrypts clients & verifies

– WEAK! Attacker sniffs plain-text AND cipher-text!



802.1x authentication – Encapsulates EAP traffic over LAN (aka EAPoL)

• EAP: Extensible Authentication Protocol

– EAP: Standard for securely transporting authentication data

– Supports a variety of authentication methods• LEAP(Lightweight EAP), EAP-TLS, etc.

– Port-based – only access is to authentication server until authentication succeeds

• Similar to what’s used on Ethernet switches

– Originally designed for campus-wired networks– Requires little overhead by access point



802.1x authentication (cont.) – 3 entities

• Supplicant (e.g., laptop w/wireless card)• Authenticator (e.g., access point)• Authentication server (e.g., RADIUS)

– Keys• Unique session key for each client• New WEP key each time client reauthenticates• Broadcast key• Shared by all clients• Mixed with IV to generate session keys• Rotated (Broadcast Key Rotation – BKR) regularly to generate

new key space



source: nwfusion.com

802.1x authentication (cont.)

Wireless LAN Security Standards


Wired Equivalent Privacy (WEP) Part of 802.11 specification Shared key – 40/104 bits Initialization vector (IV) = 24 bits Uses RC4 for encryption Weaknesses/attacks

– FMS key recovery attack – weak IVs– Filter weak IVs to mitigate– IV too short, gets reused after 5 hours– IP redirection, MITM(Man-in-the-middle) attacks– Traffic injection attacks– Bit-flip attacks

WEP2 added, increases key length to 128 bits

TKIP/MIC to the rescue!

the Fluhrer-Mantin-Shamir (FMS) attackallows a passive sniffer to recover WEP keyswith as little as nine minutes of sniffing


TKIP/MIC Overview

Fixes key reuse in WEP Same encryption as WEP (RC4) TKIP – Temporal Key Integrity Protocol

– Protects IV by removing predictability– Broadcast WEP key rotation is a good

alternative if you can’t support TKIP


TKIP/MIC Overview

MIC – Message Integrity Code, also called MICHAEL– Protects against bit-flip attacks by adding tamper-proof hash to

messages– Must be implemented on clients & AP– Hash of random num + MAC header + sequence number +

payload– Sequence number must be in order or packet rejected– Part of firmware, not O/S

TKIP Steps– Start with shared key– Add MAC address to get phase 1 key– Mix WEP key with IV to derive per-packet keys– Each packet encrypted separately, fights weaknesses in RC4 key

scheduling algorithm


TKIP/MIC Overview

TKIP per-packet keying


WiFi Protected Access (WPA) Developed to replace WE

P, improve authentication– Software upgrade to existing

hardware– Forward-compatible with 80

2.11i

Encryption key management: TKIP– Doubled IV to 48-bits– Better protection from replay

& IV collision attacks– Per-packet keying (PPK)– Protects against key-recove

ry attacks (AirSnort)– Broadcast key rotation


WPA

Message integrity: Michael (message integrity code)– Protects against forgery attacks

Authentication: – 802.1x and EAP– Mutual authentication– So you don’t join rogue networks and give up

your credentials


WPA

WEP WPA WPA2

Encryption RC4 RC4 AES

Key rotation NoneDynamic session keys

Dynamic session keys

Key distributionManually typed into each device

Automatic distribution available

Automatic distribution available

AuthenticationUses WEP key

Can use 802.1x & EAP

Can use 802.1x & EAP

WEP vs. WPA vs. WPA2


WPA

WPA deployment modes – Enterprise

• w/RADIUS for authentication

– Home or SOHO• Aka “Pre-Shared Keys (PSK)” mode• User enters master key on each computer• Master key kicks off TKIP & key rotation

– Mixed-mode• Operates in WEP-only if any non-WPA clients


EAP Types Cisco LEAP

– Username/password authentication

– Per-user, per-session encryption keys w/WEP

– Vulnerable to password/hash-based attacks

EAP-TLS– Mutual authentication based

on X.509 certs– 802.11i default

EAP-TTLS / PEAP– Tunneled TLS– Doesn’t require client certs

PEAP– Tunneled authentication– Like EAP-TTLS

EAP-GTC– Authentication via one-time

passwords

EAP-FAST– Client & server have same

key (symmetric), establishes secure tunnel

– Authentication happens over secure tunnel

– Like VPN authentication today

Threats and Solutions


WLAN Threats

Threats– Malicious hacking attempts – Rogue Access Points– Denial-of-Service (DoS)– Mobile devices

Hacking attempts– War driving/walking/flying– Disgruntled employee– Industrial espionage– Electronic warfare


Hacking Methods Traffic generation

– Flood network w/captured traffic to break WEP more quickly

– Break 40-bit WEP in 1 hour (in lab)– Defense: Filter weak IVs in AP

Man-in-the-middle– Can be used w/one-way authentication (open, shared,

802.1x)– Must know WEP key if WEP-protected– Requires signal that overpowers AP’s signal– Tool: hostap (advertises wireless client as host AP)– Can be used to collect credentials or deny service– Tools: Monkey-jack, AirJack


Hacking Methods

Get MAC addresses to figure out default settings

Web sites give defaults– MAC addresses– DHCP address ranges– Admin passwords/settings

Some sites post WEP keys– Universities, especially


Rogue Access Points

Probably the most serious security threat to your network

No such thing as a “non-wireless company” Mitigate by

– (1) Strong and documented WLAN security policy

– (2) Detection• Radio based, client based & network based

– (3) Provide “approved” WLAN services• No longer need for rogue deployments


Rogue Access Points

Cisco - rogue AP detection– Via “wired” scanning

• Regular full scan• Tool similar to “APTools”• Device fingerprinting• Includes remote networks (h

ome)

– Via “wireless” scanning• AP or client• Through WLSE

WLSE (Wireless LAN Solution Engine)an appliance offered by Cisco to manage Cisco's Aironet line of "autonomous" wireless access points and bridges.


Denial of Service

Can be malicious or “accidental” Example: Send de-authenticate frames usin

g MAC of AP Mitigated by:

– Careful radio management (WLSE)– Prudent AP configuration (EMAN)– Monitor the airwaves (WLSE)– Stable authentication back-end


Wireless LAN Security Recommended Best Practices

– Implement Secure Management Policy for APs/Bridges• Disable Telnet, disable http access, disable CDP, enable SSH,

and enable TACACS for Admin authentication

– Publicly Secure Packet Forwarding(PSPF)• no inter-client communication on specific VLANs

– Virus Scanning + Firewall • recommended on WLAN Clients

– RF Monitoring and Rogue AP Detection• Radio, client & network based scanning• Wireless IDS (WLSE 2.7)

– Select appropriate EAP mechanism

Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol for communication with an authentication server commonly used in UNIX networks


Wireless LAN Security

Detection– Can detect active scanning tools

• NetStumbler leaves well-known fingerprints in logs– MAC spoofing

• FakeAP – detect short time between broadcasts w/sniffer– WEP reinjection

• FCS(frame check sequence) has consistent value (would change if it were true data traffic)

– IDS• Snort-wireless• Snort plug-ins detects rogue APs & active scanning• Kismet detects active scanning, M-I-M attacks• WIDZ detects attacks & rogue APs• AirDefense detects attacks & rogue APs (commercial)• AirMagnet w/distributed sensors• Cisco SWAN deploys sensors into APs

Documents

10. Approaches to Mobile and Wireless Security Basic approaches Wireless LAN security Wireless LAN security standards Threats and solutions This lecture