Upload
gilbert-stafford
View
232
Download
0
Tags:
Embed Size (px)
Citation preview
10. Approaches to Mobile andWireless Security
Basic approachesWireless LAN security
Wireless LAN security standardsThreats and solutions
This lecture note is partly based on Martin G. Nystrom(Cisco Systems, Inc)’spresentation on wireless security on March 2005.http://xianshield.org/presos/Wireless Security Primer.ppt
Mobile Computing and Applications, Fall 2009
Basic Approaches
Fall 2009 Mobile Computing & Apps (Shin) 3
Security Primer Traditional security issues
– authentication– data integrity– confidentiality– authorization– nonrepudiation– availability
Threats to security– leakage– tampering– resource stealing– vandalism
Fall 2009 Mobile Computing & Apps (Shin) 4
Security Primer
Methods of attack– eavesdropping– masquerading– message tampering– replay– denial of service
Basic approaches– cryptography and public key infrastructure– authentication: data certificates, digital signatures, etc.– access control
Fall 2009 Mobile Computing & Apps (Shin) 5
Security Primer
System and data security– system access
• authentication : verify user and service identity• authorization/accountability : control access to services• service availability: prevent unauthorized service degradation• resource protection: prevent accidental or intentional misuse
– information access• user privacy: restrict disclosure of user identity and location• data integrity: detect alteration, forgery and replay• data privacy: ensure confidentiality despite snooping• data authentication: certify the origin of data
Fall 2009 Mobile Computing & Apps (Shin) 6
Security Primer
Leading protocols– Secure Sockets Layer (SSL)– Transport Layer Security (TLS)– Wireless Transport Layer Security (WTLS)– IP Security (IPSec)
Other security measures– firewalls– Virtual Private Networks (VPNs)– two-factor authentication– biometrics– security policy
Fall 2009 Mobile Computing & Apps (Shin) 7
Security Primer
Cryptography– transformation of messages
• plain text → cipher text
– transformation method• defined by function and key• function
– defines an encryption algorithm– combines a key and data so that resulting data may be
altered as much as possible
• distribution and storage of keys: important– key distribution service
Fall 2009 Mobile Computing & Apps (Shin) 8
Security Primer
Data encryption– Secret key (or private key) algorithms
• sender and receiver share a single key• computationally efficient, but initial key agreement is an issue• popular example is DES(Data Encryption Standard) which use
s the 56-bit key– currently, can be deciphered in 3.5 hours with an inexpensive (<
$500,000) computer
– NIST has improved DES: AES (Advanced Encryption Standard) allows 128-, 192-, and 256-bit keys
encryption decryptionplaintext ciphertext
plaintext
original
key
Fall 2009 Mobile Computing & Apps (Shin) 9
Security Primer
– Public key algorithms• each user has a private key and public key
– a user keeps private key for decryption and makes public key for encryption, vice versa
– sender encrypts with public key while receiver decrypts with private key
• computationally impractical to derive private from public– one-way function: y=f(x), hard to determine x from known value of
y
• popular example is RSA and PGP
encryption decryptionplaintext ciphertext
plaintext
original
key public key private
Fall 2009 Mobile Computing & Apps (Shin) 10
Traditional Security Issues - Revisited Integrity
– system integrity• if the system performs its intended function in an unimpaired manner, i
n the presence of deliberate or inadvertent attack
– data integrity• if the receiver can verify that the data received is exactly the same as t
he data transmitted by the sender
Confidentiality– if only intended recipient(s) can read the data
Nonrepudiation– if the sender can not falsely deny (i.e., repudiate) sending the data
Availability– if a third party with no access rights can not block legitimate partie
s from using a resource– e.g., denial of service (DoS) attack
Fall 2009 Mobile Computing & Apps (Shin) 11
Mobile and Wireless Security Issues
Detectability– mobile terminals need to remain undetected– also, the receiver may need to locate a sender
Resource depletion/exhaustion– attacks lead to shortening the lifespan or wasting all the
power of the battery
Physical intercept problems– any receiver can intercept the signal in the air
Theft of service– access points may be available to any mobile users
Fall 2009 Mobile Computing & Apps (Shin) 12
Problems in Ad Hoc Networks
Problems in ad hoc networks– multi-hop connection intermediate nodes – data passes through several other ad hoc networks– man-in-the-middle attack to copy or corrupt data in
transit
Routing– spoofing
• one node impersonates another
– ARP cache poisoning• causes all traffic to pass through a malicious node that permits
“man-in-the-middle” attacks• the malicious node sees all traffic
– key routing nodes• may be disabled via a resource-exhaustion attack
Fall 2009 Mobile Computing & Apps (Shin) 13
Problems in Ad Hoc Networks
Key management– issues
• encryption• authentication• creating, sharing, storing, encryption keys
– public key encryption– private key encryption
• prekeying requires key-exchange protocol to change a private key not practical for mobile hosts
Fall 2009 Mobile Computing & Apps (Shin) 14
Problems in Ad Hoc Networks
Reconfiguring– dynamic, by nature – topology changes over time– old routes may no longer work
Hostile environment– unsecured physical locations such as coffee
shops, airports, etc.– in the context of ad hoc networks of soldiers,
for example, even signal detection could cause them to be captured or worse
Fall 2009 Mobile Computing & Apps (Shin) 15
Additional Issues: Commerce
Liability– responsible for secure management of company-owned
computers and sensitive information– may be exposed or used as springboards to attack
other Internet computers
Fear, uncertainty, and doubt– companies fear that security attacks may hamper their
reputation
Fraud– typically purchases billed with stolen or faked credit
card [numbers]
Big bucks at stake
Fall 2009 Mobile Computing & Apps (Shin) 16
Additional Types of Attacks
“Man in the middle” attacks– a malicious node inserts itself in the path between two
nodes, like in the case of eavesdropping
Traffic analysis– attacker can gain insight by analyzing the traffic in
terms of message size, traffic volume, sender-receiver, etc
Replay attacks– reusing data in a packet observed by a malicious node
Buffer-overflow attacks– Extra data may cause the program to execute different
code by changing variables values, program flow, or similar
Wireless LAN Security
Fall 2009 Mobile Computing & Apps (Shin) 18
Wireless Security – An Overview
WPA2
WPA
WEP
802.11i
802.1X(EAPoL)
RSNAES-basedCCMP
TKIP MIC
RC4
WRAP
uses
uses
uses
comprises
is replacing
implements
uses
uses
uses
addedRADIUS
uses
WiFiAlliance
IEEE
WEP: Wired Equivalent PrivacyWPA: Wi-fi Protected AccessEAPoL: Extensible Authentication Protocol over LANRSN: Robust Security NetworkAES: Advanced Encryption StandardCCMP: Counter Mode with Cipher Block Chaining Message Authentication Code ProtocolWRAP: Wireless Robust Authenticated ProtocolRADIUS: Remote Authentication Dial-In User Service RC4: Rivest’s Cipher 4 stream cipherTKIP: Temporal Key Integrity ProtocolMIC: Message Integrity Check
is a subset of
Fall 2009 Mobile Computing & Apps (Shin) 19
802.11 Standards 802.11a – 54 Mbps@5 Ghz
– Not interoperable with 802.11b– Limited distance– Dual-mode APs require 2 chipsets, look like two APs to
clients
802.11b – 11 [email protected] Ghz– Full speed up to 300 feet– Coverage up to 1750 feet
802.11g – 54 [email protected] Ghz– Same range as 802.11b– Backward-compatible with 802.11b– Speeds slower in dual-mode
Fall 2009 Mobile Computing & Apps (Shin) 20
802.11 Standards
802.11e – QoS– Dubbed “Wireless MultiMedia (WMM)” by WiFi Alliance
802.11i – Security– Adds AES encryption– Requires high-performance CPU, new chips required– TKIP(Temporal Key Integrity Protocol) is interim solution
802.11n – 100Mbps+ (in progress) Wi-Fi Protected Access (WPA)
– Subset of 802.11i, forward-compatible with 802.11i (WPA2)– Encryption: Version one uses TKIP– Authentication: 802.1x & EAP – allows auth via RADIUS; also allo
ws auth via PSK• EAP: Extensible Authentication Protocol• RADIUS: Remote Authentication Dial-In User Service• PSK: Pre-Shared Key
Fall 2009 Mobile Computing & Apps (Shin) 21
802.11i – Wireless security FIPS-140 compliant AES replaces RC4 with TKIP Dubbed “WPA2” by WiFi Alliance Robust Security Network (RSN) for establishing secure co
mmunications – Uses 802.1x for authentication– Replaces TKIP
‘Counter with CBC(Cipher Block Chaining)-MAC’ Mode (CCMP) for encryption– CCM mode of AES– 128-bit keys, 48-bit IV (Initialization Vector)– CBC-MAC provides data integrity/authentication– CCMP mandatory with RSN– WRAP(Wireless Robust Authenticated Protocol) was initial selectio
n, licensing rights/problems got in the way replaced by CCMP
Federal Information Processing Standard 140 (FIPS)series of publications numbered 140 which are a U.S. government computer security standards that specify requirements for cryptography modules
Fall 2009 Mobile Computing & Apps (Shin) 22
802.11 Security Approaches Requirements
– Shared media – like a network hub• Requires data privacy - encryption
– Authentication necessary• Can access network without physical presence in building• Once you connect to wireless, you are an “insider” on the netw
ork
Security approaches– Closed network
• SSID(Service Set ID) can be captured with passive monitoring– MAC filtering
• MACs can be sniffed/spoofed– WEP
• Can be cracked online/offline given enough traffic & time
to be continued
Fall 2009 Mobile Computing & Apps (Shin) 23
802.11 Security Approaches
Security approaches (cont.)– Change keys frequently
• Traffic can still be decrypted offline
– Place APs on DMZ• Requires VPN access to get back into network
– Use VPN• Doesn’t handle roaming
– Authentication portal• Example: Nocat (configurable restrictions to bandwidth and por
ts based on whether the user is trusted or not) • More stuff to configure
– WPA and/or EAP
Fall 2009 Mobile Computing & Apps (Shin) 24
802.11 Authentication Authentication methods
– Open systems authentication– Shared key authentication– EAP / 802.1x
Open system authentication – Required by 802.11– Just requires SSID from client– Only identification required is MAC address of
client– WEP key not verified, but device will drop
packets it can’t decrypt
Fall 2009 Mobile Computing & Apps (Shin) 25
802.11 Authentication
Shared key authentication– Utilizes challenge/response
• challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.
– Requires & matches key– Steps
• Client requests association to AP• AP issues challenge to client• Client responds with challenge encrypted by WEP key• AP decrypts clients & verifies
– WEAK! Attacker sniffs plain-text AND cipher-text!
Fall 2009 Mobile Computing & Apps (Shin) 26
802.11 Authentication
802.1x authentication – Encapsulates EAP traffic over LAN (aka EAPoL)
• EAP: Extensible Authentication Protocol
– EAP: Standard for securely transporting authentication data
– Supports a variety of authentication methods• LEAP(Lightweight EAP), EAP-TLS, etc.
– Port-based – only access is to authentication server until authentication succeeds
• Similar to what’s used on Ethernet switches
– Originally designed for campus-wired networks– Requires little overhead by access point
Fall 2009 Mobile Computing & Apps (Shin) 27
802.11 Authentication
802.1x authentication (cont.) – 3 entities
• Supplicant (e.g., laptop w/wireless card)• Authenticator (e.g., access point)• Authentication server (e.g., RADIUS)
– Keys• Unique session key for each client• New WEP key each time client reauthenticates• Broadcast key• Shared by all clients• Mixed with IV to generate session keys• Rotated (Broadcast Key Rotation – BKR) regularly to generate
new key space
Fall 2009 Mobile Computing & Apps (Shin) 28
802.11 Authentication
source: nwfusion.com
802.1x authentication (cont.)
Wireless LAN Security Standards
Fall 2009 Mobile Computing & Apps (Shin) 30
Wired Equivalent Privacy (WEP) Part of 802.11 specification Shared key – 40/104 bits Initialization vector (IV) = 24 bits Uses RC4 for encryption Weaknesses/attacks
– FMS key recovery attack – weak IVs– Filter weak IVs to mitigate– IV too short, gets reused after 5 hours– IP redirection, MITM(Man-in-the-middle) attacks– Traffic injection attacks– Bit-flip attacks
WEP2 added, increases key length to 128 bits
TKIP/MIC to the rescue!
the Fluhrer-Mantin-Shamir (FMS) attackallows a passive sniffer to recover WEP keyswith as little as nine minutes of sniffing
Fall 2009 Mobile Computing & Apps (Shin) 31
TKIP/MIC Overview
Fixes key reuse in WEP Same encryption as WEP (RC4) TKIP – Temporal Key Integrity Protocol
– Protects IV by removing predictability– Broadcast WEP key rotation is a good
alternative if you can’t support TKIP
Fall 2009 Mobile Computing & Apps (Shin) 32
TKIP/MIC Overview
MIC – Message Integrity Code, also called MICHAEL– Protects against bit-flip attacks by adding tamper-proof hash to
messages– Must be implemented on clients & AP– Hash of random num + MAC header + sequence number +
payload– Sequence number must be in order or packet rejected– Part of firmware, not O/S
TKIP Steps– Start with shared key– Add MAC address to get phase 1 key– Mix WEP key with IV to derive per-packet keys– Each packet encrypted separately, fights weaknesses in RC4 key
scheduling algorithm
Fall 2009 Mobile Computing & Apps (Shin) 33
TKIP/MIC Overview
TKIP per-packet keying
Fall 2009 Mobile Computing & Apps (Shin) 34
WiFi Protected Access (WPA) Developed to replace WE
P, improve authentication– Software upgrade to existing
hardware– Forward-compatible with 80
2.11i
Encryption key management: TKIP– Doubled IV to 48-bits– Better protection from replay
& IV collision attacks– Per-packet keying (PPK)– Protects against key-recove
ry attacks (AirSnort)– Broadcast key rotation
Fall 2009 Mobile Computing & Apps (Shin) 35
WPA
Message integrity: Michael (message integrity code)– Protects against forgery attacks
Authentication: – 802.1x and EAP– Mutual authentication– So you don’t join rogue networks and give up
your credentials
Fall 2009 Mobile Computing & Apps (Shin) 36
WPA
WEP WPA WPA2
Encryption RC4 RC4 AES
Key rotation NoneDynamic session keys
Dynamic session keys
Key distributionManually typed into each device
Automatic distribution available
Automatic distribution available
AuthenticationUses WEP key
Can use 802.1x & EAP
Can use 802.1x & EAP
WEP vs. WPA vs. WPA2
Fall 2009 Mobile Computing & Apps (Shin) 37
WPA
WPA deployment modes – Enterprise
• w/RADIUS for authentication
– Home or SOHO• Aka “Pre-Shared Keys (PSK)” mode• User enters master key on each computer• Master key kicks off TKIP & key rotation
– Mixed-mode• Operates in WEP-only if any non-WPA clients
Fall 2009 Mobile Computing & Apps (Shin) 38
EAP Types Cisco LEAP
– Username/password authentication
– Per-user, per-session encryption keys w/WEP
– Vulnerable to password/hash-based attacks
EAP-TLS– Mutual authentication based
on X.509 certs– 802.11i default
EAP-TTLS / PEAP– Tunneled TLS– Doesn’t require client certs
PEAP– Tunneled authentication– Like EAP-TTLS
EAP-GTC– Authentication via one-time
passwords
EAP-FAST– Client & server have same
key (symmetric), establishes secure tunnel
– Authentication happens over secure tunnel
– Like VPN authentication today
Threats and Solutions
Fall 2009 Mobile Computing & Apps (Shin) 40
WLAN Threats
Threats– Malicious hacking attempts – Rogue Access Points– Denial-of-Service (DoS)– Mobile devices
Hacking attempts– War driving/walking/flying– Disgruntled employee– Industrial espionage– Electronic warfare
Fall 2009 Mobile Computing & Apps (Shin) 41
Hacking Methods Traffic generation
– Flood network w/captured traffic to break WEP more quickly
– Break 40-bit WEP in 1 hour (in lab)– Defense: Filter weak IVs in AP
Man-in-the-middle– Can be used w/one-way authentication (open, shared,
802.1x)– Must know WEP key if WEP-protected– Requires signal that overpowers AP’s signal– Tool: hostap (advertises wireless client as host AP)– Can be used to collect credentials or deny service– Tools: Monkey-jack, AirJack
Fall 2009 Mobile Computing & Apps (Shin) 42
Hacking Methods
Get MAC addresses to figure out default settings
Web sites give defaults– MAC addresses– DHCP address ranges– Admin passwords/settings
Some sites post WEP keys– Universities, especially
Fall 2009 Mobile Computing & Apps (Shin) 43
Rogue Access Points
Probably the most serious security threat to your network
No such thing as a “non-wireless company” Mitigate by
– (1) Strong and documented WLAN security policy
– (2) Detection• Radio based, client based & network based
– (3) Provide “approved” WLAN services• No longer need for rogue deployments
Fall 2009 Mobile Computing & Apps (Shin) 44
Rogue Access Points
Cisco - rogue AP detection– Via “wired” scanning
• Regular full scan• Tool similar to “APTools”• Device fingerprinting• Includes remote networks (h
ome)
– Via “wireless” scanning• AP or client• Through WLSE
WLSE (Wireless LAN Solution Engine)an appliance offered by Cisco to manage Cisco's Aironet line of "autonomous" wireless access points and bridges.
Fall 2009 Mobile Computing & Apps (Shin) 45
Denial of Service
Can be malicious or “accidental” Example: Send de-authenticate frames usin
g MAC of AP Mitigated by:
– Careful radio management (WLSE)– Prudent AP configuration (EMAN)– Monitor the airwaves (WLSE)– Stable authentication back-end
Fall 2009 Mobile Computing & Apps (Shin) 46
Wireless LAN Security Recommended Best Practices
– Implement Secure Management Policy for APs/Bridges• Disable Telnet, disable http access, disable CDP, enable SSH,
and enable TACACS for Admin authentication
– Publicly Secure Packet Forwarding(PSPF)• no inter-client communication on specific VLANs
– Virus Scanning + Firewall • recommended on WLAN Clients
– RF Monitoring and Rogue AP Detection• Radio, client & network based scanning• Wireless IDS (WLSE 2.7)
– Select appropriate EAP mechanism
Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol for communication with an authentication server commonly used in UNIX networks
Fall 2009 Mobile Computing & Apps (Shin) 47
Wireless LAN Security
Detection– Can detect active scanning tools
• NetStumbler leaves well-known fingerprints in logs– MAC spoofing
• FakeAP – detect short time between broadcasts w/sniffer– WEP reinjection
• FCS(frame check sequence) has consistent value (would change if it were true data traffic)
– IDS• Snort-wireless• Snort plug-ins detects rogue APs & active scanning• Kismet detects active scanning, M-I-M attacks• WIDZ detects attacks & rogue APs• AirDefense detects attacks & rogue APs (commercial)• AirMagnet w/distributed sensors• Cisco SWAN deploys sensors into APs