Chapter 1 The security of existing wireless networks a.Security of cellular networks b.WiFi Security: WEP, WPA, and WPA2 Security and Cooperation in Wireless

Chapter 1 The security of existing wireless

networks

a.Security of cellular networks b.WiFi Security: WEP, WPA, and WPA2

Security and Cooperation in Wireless Networks

Levente Buttyan and Jean-Pierre Hubaux

[--Note: L. Lilien made changes to improve clarity and formatting of slides, including:(1) adding more levels for prioritization of text,(2) changing font to larger size for most slides,(3) splitting many slides into 2 or more slides (necessary due to the above changes)(4) adding emphasis by changing font color to blue(5) removing words that are superfluous in slides(6) improving consistency of slides and the textbook

Modifications are © 2007-2009 by Leszek T. Lilien. Requests to use L. Lilien’s slides for non-profit purposes will be gladly granted upon a written request.--]

2

Why is security more of a concern in wireless?

No inherent physical protection– Physical connections between devices are

replaced by logical associations– Don’t need physical access to the network

infrastructure (cables, hubs, routers, etc.) for xmitting messages

Wireless broadcast transmissions /communications– Usually, wireless = radio => a broadcast nature– Can be overheard by anyone in range– Anyone can transmit

• Received by other devices in range• Interferes with other nearby transmissions

– Jamming may prevent correct reception

3

Security vulnerabilities for wireless networkseavesdropping is easymessages can be altered or bogus messsages

injected by an attacker (it is an example of an active attack)

easier to impersonate (= to cheat on identities)

replaying previously recorded messages is easy

illegitimate access to the network and its services is easy

denial of service (DoS) is easily achieved by jamming

4

Security requirements for wireless communication

Recall: classic CIA security requirements– CIA = confidentiality + integrity + availability– Req’s below include CIA (in a different order)

------------------------------------------- authentication

– origin of received messages must be verified

access control– limit access to network services to legitimate

entities only – need permanent access control

• checking the legitimacy of an entity only when it joins the network (and its logical associations are established) is not sufficient

– bec. logical associations can be hijacked

confidentiality– messages must be encrypted

5

Security requirements for wireless communication (2)

integrity– malicious modification of messages is possible

• Even if modifying on-the-fly (during radio transmission) is not so easy

– integrity of received messages must be verified

privacy– incl. location privacy

• do not reveal the location of the user, nor the party with which she communicates

– law enforcement agencies must have access to these two pieces of info

non-repudiation– e.g., prevent possibility that a user, after getting

a message/service, pretends that she did not

6

Security requirements for wireless communication (3)

availability– in particular, guarantee a fair share of the radio

resource• e.g., for all mobile users located in the same radio

domain– provide higher priority for more important

communications• e.g., an emergency call from a cellular phone

other security req’s:– replay detection

• freshness of received messages must be checked– protection against jamming

Securing wireless networksa. Security of cellular networks

Security in European cellular nets (similar in US cell nets)

- in GSM (Global System for Mobile Communications)

- A European 2G (2-nd generation) cellular network

- in UMTS (Universal Mobile Telecommunications System)

- A European 3G (3-rd generation) cellular network

7

REFRESHER SLIDES (quick presentation till Slide 23)

Introduction To Cellular Systems(see L. Lilien’s Section 1 and Section 9 slides for

CS6910: Pervasive Computing – S’07)

Cincinnati, OH

Washington, DC

[LTL:] User moves but phone # unchanged

Maintaining the telephone number across geographical areas in a wireless and mobile system 8

1G - First Generation – Primarily for voice communication– Using FDM (frequency division multiplexing)

2G - Second Generation– Emphasis still on voice communication but allows for…– … Data communication – Using TDM (time division multiplexing)– Indoor/outdoor and vehicular environment

3G - Third Generation– Integrated voice, data, and multimedia communication– Need for:

• High volume of traffic / Real time data communication• Flexibility, incl.

– Frequent Internet access– Multimedia data transfer

• Compatibility with 2G– Using compression

• Without compromising quality

© 2007 by Leszek T. Lilien

Generations of Wireless Systems & Services

9

Future: 4G

4G– Expected to implement all standards from 2G

& 3G– Infrastructure only packet-based, all-IP– Some of the standards paving the way for 4G:

• WiMax• WiBro (Korean)• 3GPP Long Term Evolution

– Improves the UMTS mobile phone standard (Europe)

• Work-in-progress technologies

– E.g., HSOPA, a part of 3GPP Long Term Evolution

© 2007 by Leszek T. Lilien10

Coverage Aspect of Next Generation Mobile Communication Systems

Picocell Microcell Macrocell Global

Urban

Suburban

Global

Satellite

In-Building

11

Fundamentals of Cellular Systems

Illustration of a cell with a mobile station (MS) and a base station (BS)

BS

MS

Cell

Hexagonal cell area used in most models

Service area- Ideal cell area (2-10 km radius)

(circle)

Alterative shape of a cell

(square)

MS

[LTL:]

Cell shapes (above) Actually, cell may have a zigzag shape Hexagon is a good approximation in practice

Also, gives non-overlapping cells (used by clever bees for beehives)

E.g., circles would either overlap, or would have gaps in between12

Home phone

PSTN

MSC

BSC …

BS

…

…

MS

…

BS MS

BSC

BS MS

…

BS MS

BSC

BS MS

…

BS MS

BSC

BS MS

…

BS MS

MSC

MS, BS, BSC, MSC, and PSTN

[LTL:] Several BSs connected via wireline links to one BSC (BS controller) Several BSCs connected via wireline links to one MSC (Mobile

Switching Center) Several MSCs interconnected via wireline links to PSTN (Public

Switched Telephone Network) and the ATM backbone

wired links

13

BS consists of– Base Tranceiver System (BTS)

• Includes tower & antenna

– BSC• Contains all associated electronics

© 2007 by Leszek T. Lilien

BS Structure

14

MSC database for supporting MS mobility1) Home location register (HLR) for MS

• Located at the “home MSC” for MS– Where MS is registered, billed, etc.

• Indicates current location of MS– Could be within home MSC’s areaOR– Could be in the area of any MSC in the world

2) Visitor location register (VLR) on each MSC• Contains info on all MSs visiting area of this MSC

Incoming call scenario– Based on the called #, incoming call for an MS is

directed to the HLR of the “home MSC” for this MS– HLR redirects the call to MSC/BSC/BS where the MS

is now– VLR of the “current MSC” has info on MS (one of

visiting MSs)© 2007 by Leszek T. Lilien

MSC Database Supporting MS Mobility & Incoming Call Scenario

15

Control and Traffic Channels

Base Station

Forward

(downlin

k) contro

l channel

Mobile Station

Reverse (

uplink) c

ontrol c

hannel

Forward

(downlin

k) traff

ic channel

Reverse (

uplink) tr

affic

channel

Note: Forward/reverse in the U.S., downlink/uplink elsewhere

[LTL:]

4 simplex channels needed for control & traffic 2 control channels

Exchange control msgs Forward channel & reverse channel

2 traffic channels For data Forward channel & reverse channel

16

Steps for a Call Setup from MS to BS

BS MS

1. Need to establish path

2. Frequency/time slot/code assigned

(FDMA/TDMA/CDMA)

3. Control information acknowledgement

4. Start communic. on assigned traffic channel

[LTL:]

Steps for a call setup from MS to BS - When MS initiates a call

Tim

e

17

Steps for a Call Setup from BS to MS

BS MS

2. Ready to establish a path

3. Use frequency / time slot / code

(FDMA/TDMA/CDMA)

4. Ready for communication

5. Start communic on assigned traffic channel

1. Call for MS # pending

[LTL:]

Steps for a call setup from BS to MS: When MS responds to a call (another MS calls this MS)

Tim

e

18

9.2. Cellular System Infrastructure – cont. 1 The infrastructure in more detail1) Discussed in Sec. 1 (“Pervasive Computing”):

BTS = base transceiver system (tower + antenna)(tranceiver = transmitter +

receiver) BSC = BS controller (all electronics controlling BTSs, even

k*100 BTSs) BS = base station = BTS + BSC

NOTE: We sometimes omit mentioning BTS, as if BTS + BSC were co-located & were an integrated BSSometimes (as in the previous Figure) BTS is denoted as “BS”

HLR = home location register

VLR = visitor home location register

2) Not discussed yet: AUC = authentication

center EIR = equipment

identity register

(Modified by LTL)

HLR and VLR used in a way analogous to mail forwarding by the U.S. Postal Service - fig. above

(pp. 190/- 192)

9.2. Cellular System Infrastructure – cont. 3

(Modified by LTL)

20

Unlike in the USPS example, in cellular need not only forward link (home MSC -> visiting MSC) Need also a backward link (visiting MSC -> home MSC ) – see fig. below for the bi-directional link

Backward link needed for, e.g.: Billing - done only by home MSC (mobile switching

center) Look at the list of access specifications – kept by home MSC

Is MS active or not (e.g., delayed payment) Local calls only or long distance calls allowed or both Listing of calls made Listing of charges

9.2. Cellular System Infrastructure – cont. 4

(Modified by LTL)

21

The end of the “Introduction to Cellular Systems”

22

23

GSM Security: The SIM card (Subscriber Identity Module)

Security req’s for SIMs (SIMs implemented as smart cards)

– Tamper-resistance– Protected by a PIN code (checked locally by the SIM)

– Removable from the terminal– Contains all end-user-specific data required in the

Mobile Station:• IMSI: International Mobile Subscriber Identity (permanent

user’s identity)

• PIN• TMSI (Temporary Mobile Subscriber Identity)• Ki : User’s secret key • Kc : Ciphering key • List of the most recent call attempts• List of preferred operators• Supplementary service data (abbreviated dialing, last

short messages received,...)

24

Authentication principle of GSM* Uses challenge-response principle + Subscriber (her SIM card) receives a random # (RAND) as a challenge + 2 B authenticated, subscriber (SIM) must compute a correct response - Computed from the challenge (RAND) and long-term secret key (K)

- K known only to Subsciber (her SIM) and the operator- RAND ensures freshness of response (w/o RAND, attacker could use old

response)

For more interesting case, consider auth’g subscriber in visited network (not in home network) – see Fig. 1.1PRNG – (program-mable) RAND # generatorA3, A8 – algorithms from GSM specsSRES – correct response to the challengeCK – encr. key for mobile-to-visited net CommunicationSRES’ – response to chall. fr. mobile

25

Authentication principle of GSM (2)

* Notes: VN = visited network, HN = home network+ VN authenticates subscriber w/o knowing K (long term key)

- Knows CK (encr. key for mobile-to-visited net communications) - VN needs not consult HN

+ HN needs not be contacted by VN each time subscriber must be authenticated

- Bec. HN can send a few triplets (RAND, SRES, CK) each time it is contacted by VN

+ Subscriber identity hidden from eavesdroppers by using TMSI

- IMSI used for 1st authentication- TMSI assigned to Subscriber by VN after 1st successful authentication

- Encrypted with CK- Mobile uses TMSI to communicate w/ VN

+ When Subscriber moves to VN2 (another VN),:- VN2 contacts VN1- VN1 sends TMSI to VN2

26

SKIP-Authentication principle of GSM (original sl.)

Mobile Station Visited network Home network

IMSI/TMSI

IMSI (or TMSI)A8 A3A8 A3

Ki R

KcS

IMSI

Triplets (Kc, R, S)

TripletsAuthenticate (R)

A8 A3A8 A3

Ki R

KcS’ Auth-ack(S’)

S=S’?S=S’?

27

SKIP-Cryptographic algorithms of GSM

R Ki

A3A3 A8A8

R S Kc Triplet

Random number User’s secret key

A5A5 Ciphering algorithm Authentication

Kc: ciphering keyS : signed resultA3: subscriber authentication (operator-dependent algorithm)A5: ciphering/deciphering (standardized algorithm)A8: cipher generation (operator-dependent algorithm)

Kc: ciphering keyS : signed resultA3: subscriber authentication (operator-dependent algorithm)A5: ciphering/deciphering (standardized algorithm)A8: cipher generation (operator-dependent algorithm)

28

Ciphering in GSM

A5A5

CIPHERINGSEQUENCE

PLAINTEXTSEQUENCE

Kc FRAME NUMBER

Sender(MS or Network)

Receiver(Network or MS)

CIPHERTEXTSEQUENCE

A5A5

CIPHERINGSEQUENCE

Kc FRAME NUMBER

PLAINTEXTSEQUENCE

Kc = ciphering keyA5 = ciphering/deciphering (standardized algorithm)

29

Conclusion on GSM security

Security services provided by GSM security architecture:– Focus on the protection of the air interface

• No protection on the wired part of the network– Neither for privacy nor for confidentiality

– Allow the visited network access to almost all data

• Except the secret key of the end user

– Generally robust…– … but a few successful attacks have been

reported:• faking base stations • cloning SIM card

30

UMTS Security Architecture (1a)

Motivation and goals– New kind of service providers

• content providers, HLR only service providers,…– HLR = Home Location Register

– Increased control for users over their service profiles

– Enhanced resistance to active attacks– Increased importance of non-voice services– Reuse GSM (2G) security principles– …

31

UMTS Security Architecture (1b)

Reusing GSM security principles (for GSM):– Removable hardware security module

• In GSM (2G): SIM card• In UMTS (3G): USIM (User Services Identity Module)

– Radio interface encryption– Limited trust in a visited network

• K (long-term key) never revealed to it

– Protection of the end user’s identity• Especially on the radio interface• Using TMSI instead of IMSI

32

UMTS Security Architecture (2a)

Weaknesses of GSM security that require corrections:– Only unilateral authentication

• Authenticates only MS (mobile station) to BS (base station) in visited net (none in reverse)

=> Allows for fake BSs• Then run MITM (man-in-the –middle) attacks from it

– Using “IMSI catchers” (devices for protocol testing)

• Facilitated by unability of subscriber to verify freshness of the received challenge

– Lack of integrity protection for communication/ signalling over radio

• Facilitates using fake BSs• Integrity not critical for voice communications (just some

voice distortion) but ...... Integrity critical for data communications (each bit matters!)

33

UMTS Security Architecture (2b)

Weaknesses of GSM security that require corrections – cont.

– Short length of encryption key– Weaknesses in implementations of the A3 and A8

algorithms• Allow compromising K (long-term key)

– This allows cloning SIM

– ...

34

UMTS Security Architecture (3)

Principles for new security architecture in UMTS– Fix the weaknesses of GSM– Without changing general GSM security principles=> Extending them

• ‘Reverse’ authentication (BS to MS)• Integrity protection

New security features in 3G– Address the weaknesses– Without changing general GSM security principles– Instead, extend GSM security principles

• ‘Reverse’ authentication (BS to MS)• Integrity protection

35

Details– GSM triplet (RAND, SRES, CK) replaced by a quintuple –

the UMTS authentication vector :(RAND, XRES, CK, IK, AUTN)

where:• RAND – as before• XRES – expected response to RAND• CK – as before• IK – integrity protection key• AUTN – token that:

(a) authenticates HN (home net) to MS(b) Proves freshness of RAND

Authentication in UMTS

36

Authentication in UMTS (2)

• Construction of authentication vector in UMTS standard• SQN = sequence # maintained synchronously by MS and HN• AK = anonymity key: to hide SQN value from eavesdroppers• AMF = auth. & key mngmt field: to pass parameters from HN to MS• MAC = message authentication code (nothing to do with MAC sublayer)• f1 – f5 = one-way (hashing) functionsNotes:

- - the XOR operation- SQN encoded with AK to protect privacy of MS (otherwise eavesdropper could associate different executions of authorization protocol with consecutive sequence #s to the same subscriber)

37

Authentication in UMTS-3GPP

Generation of cryptographic material

Generation of cryptographic material

Home NetworkVisited NetworkMSSQN RAND(i)

i-thAuthentication vector

K (user’ssecret key)

IMSI/TMSIUser authentication requestRAND(i) || AUTN(i)

1) Verify AUTN(i): (cf. next slide)

- Generate AK - Decode SQN - Verify MAC - Verify SQN(i)2) Compute RES(i) (next)

1) Verify AUTN(i): (cf. next slide)

- Generate AK - Decode SQN - Verify MAC - Verify SQN(i)2) Compute RES(i) (next)

User authentication response RES(i)

Compare RES(i)and XRES(i)

Compare RES(i)and XRES(i)

Select CK(i)and IK(i)

Select CK(i)and IK(i)

3) Compute CK(i) (next)4) Compute IK(i) (next)

3) Compute CK(i) (next)4) Compute IK(i) (next)

K

<RAND(i), XRES(i),

CK(i), IK(i), AUTN(i)>

From now on CK(i) & IK(i) used to protect integrity & confidentiality of msgs

Recall:• AK = anonymity key: to hide SQN value from eavesdroppers• SQN = sequence # maintained synchronously by MS and HN• MAC = message authentication code

K

38

User Authentication Function in the USIM

USIM: User Services Identity Module

f1f1 f2f2 f3f3 f4f4

K

XMAC (i)(Expected MAC)

RES(i)(Result)

CK(i)(Cipher

Key)

IK(i)(Integrity

Key)

f5f5

RAND(i)

AK(i)

SQN(i)

SQN AK

AMF MAC

AUTN(i)

• Verify MAC = XMAC (if yes, SQN originated in MS’s home network)• Verify that SQN(i) > most recent SQN stored by MS

• Verify MAC = XMAC (if yes, SQN originated in MS’s home network)• Verify that SQN(i) > most recent SQN stored by MS

39

Conclusion on UMTS security

Some improvement w.r.t. 2G– Cryptographic algorithms are published– Integrity of the signalling messages is protected

Quite conservative solution Privacy/anonymity of the user not completely protected Complicates 2G-3G interoperability

– Might open security breaches

Securing wireless networksb. WiFi Security: WEP, WPA, & WPA2

- intro to WiFi- WEP

- intro to WEP- WEP flaws- WEP – Lessons learnt

- 802.11i- Summary of WiFi security

41

beacon- MAC header- timestamp- beacon interval- capability info- SSID (network name)- supported data rates- radio parameters- power slave flags

b.1. Introduction to WiFi (1)

scanning on each channel

association requestassociation response

STA

AP

“connected”

STA = mobile STAtionAP = Access Point

42

Introduction to WiFi (2)

AP

Internet

43

b.2. WEPb.2.1. Intro to WEP

WEP = Wired Equivalent Privacy WEP is a part of the IEEE 802.11 specification goal

– make WiFi net at least as secure as a wired LAN • that has no particular protection mechanisms

– WEP was never intended to achieve strong security

services– access control to the network– message confidentiality– message integrity

44

WEP – Access control before association, STA needs to authenticate itself to

AP

authentication is based on a simple challenge-response protocol:

STA AP: authenticate requestAP STA: authenticate challenge (r)

r is 128 bits long

STA AP: authenticate response (eK(r))

AP STA: authenticate success/failure

if authentication fails, no association is possible if authentication succeeds:

– STA sends an association request– AP respondS with an association response

45

WEP – Message confidentiality and integrity WEP encryption - based on RC4 (a stream cipher developed in 1987

by Ron Rivest for RSA Data Security, Inc.)

– Operation:• Sending message:

– RC4 generator is initialized with:» a shared secret (shared between STA & AP)

» an initialization vector (IV) – 24 bits– RC4 produces a key stream (a pseudo-random byte sequence)

– Key stream is XORed with the message• Msg reception is analogous

– Essential: different key stream for each message– shared secret - the same for each message– IV - changes for every message

WEP integrity protection - based on an encrypted CRC value– Operation:

• Integrity check value (ICV) is computed and appended to the message

• the message and the ICV are encrypted together

46

WEP – Message confidentiality and integrity (2)

IV secret key RC4RC4

message || ICV

message || ICVIV


message || ICV

encode

decode

K

K

K = key stream

Shaded means secret

ICV = CRC value for “message”

Fig. 1.3. Encryption and decryption in WEP

47

WEP – Kinds of Keys WEP standard - two kinds of keys are allowed

– Default key• Also called: shared key, group key, multicast key,

broadcast key, key– Key-mapping keys

• Also called: individual key, per-station key, unique key

In practice, often only default keys are supported– Default key - manually installed in every STA & AP– Each STA uses the same shared secret key (see the “Default key”

fig.)

=> in principle, STAs can decrypt each other’s messages

id:X | key:abc

id:Y | key:abc

id:Z | key:abc key:abc

id:X | key:def

id:Y | key:ghi

id:Z | key:jklid:X | key:defid:Y | key:ghiid:Z | key:jkl

Default key Key-mapping key

48

WEP – Management of default keys The default key is a group key

– Group keys need to be changed when a member leaves the group

• E.g., when someone leaves the company and shouldn’t have access to its network anymore

Practically impossible to change the default key in every device simultaneously

=> WEP supports multiple default keys for smooth change of keys– One of the keys is the active key

• Used currently to encrypt messages– Any default key can be used to decrypt messages

• The message header contains a key ID– Allows the receiver to find out a key to decrypt the message

(allows the receiver to know default keys – knowing one is enough)

49

WEP – The key change process

Ž

---def*

abcdef*

---def*

---def*

tim

e

abc*---

abc*---

Œ

abc*---

abc*def

abcdef*

a, b, c – default keys* indicates the active key

Note:* New STA can read msg encoded with c (since it includes it as a deafult key)

* AP can read msg encoded with f (since it includes it as a default key)

STA1 STA2AP

50

b.2.2. WEP flaws WEP Flaws in Authentication & Access

Control Flaw 1: Authentication is not mutual (one-way only)

– AP is not authenticated by STA (mobile STAtion)• STA is at risk to associate with a rogue AP

Flaw 2: The same shared secret key used for authentication & encryption

• I authenticate X if X uses one of “my” group keys for encrypting her messages

• I don’t authenticate Y if his msg can’t be decrypted using one of my group keys

– Bad! Weaknesses in any of the two protocols can be used to break the key for the other protocol

Flaw 3: STA authenticated only at connection time=> Access control is not continuous– Once STA has authenticated with (& associated to) AP, an

attacker can send messages using the MAC (medium access control) address of STA

• Correctly encrypted messages cannot be produced by the attacker (does not know a group key)…

• … But attacker can replay STA msgs (e.g., STA1 msg replayed as STA 5 msg)

=> STA can be impersonated (next slide)

51

WEP flaws in Authentication and Access Control (2a)

Flaw 4: Using RC4 for encrypting random challenge– Recall: Authentication based on a challenge-

response protocol:…

AP STA: C C = challenge

STA receives C, calculates response:

STA AP: IV || ( C K )…


C

C KIV

STA encodes

K

K = a 128-bit key stream (RC4 output)

52

WEP flaws in Authentication and Access Control (2b)

– An attacker can:• Capture challenge C - when sent from AP to STA• Capture challenge encrypted in response R = (C K) - when

sent from STA to AP• Compute key stream: K = C (C K)

– Later, attacker can use key stream K to impersonate a legitimate STA:

…

AP attacker: C’ C’ – any challenge!

attacker AP: IV || ( C’ K ) - correct attacker’s response to

any … challenge

Note: IV does not help to prevent the attack- Since selected by the sender – i.e., the attacker

53

WEP Flaws in Replay Protection & Integrity Replay protection: none at all

– IV not mandated to be incremented after each msg

Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption– ICV appended to clear message M (see Fig. 1.3) is the

CRC value for M (CRC = cyclic redundancy code)

– CRC is a linear function w.r.t. XOR: CRC(X Y) = CRC(X) CRC(Y)

- WEP-encrypted message M (cf. Fig. 1.3):(M || CRC(M)) K

54

WEP Flaws in Replay Protection & Integrity (2)

Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption – cont.

- Attacker observes encrypted message M: (M || CRC(M)) K

M = changes that attacker wants to make in M- Unforunately , the attacker can compute CRC(M) for

any M- Hence, the attacker can also compute encrypted

message (M M) as follows:Captured encrypted message M encrypted M =( (M || CRC(M)) K) (M || CRC(M) ) = ((M M) || (CRC(M) CRC(M))) K = ((M M) || CRC(M M)) K - encrypted message (M M)

Att. uses captured encrypted msg, then adds the last component (that includes no K! -- so needs NOT know K!)

By rules of math, the effect is AS IF the att. knew K (even so does NOT know K)

55

WEP Flaws in Confidentiality

Flaw 1: IV reuse– IV space is too small - only 24 bits

=> there are about 17 million (16,777,216) possible IVs - IV reused after about 17 million msgs

– WiFi device xmits approx. 500 full-length frames per sec. =>=> IV space is used up in a few hours

=> Repeating IVs means repeating key streams (pseudo-random sequences) used for encryption

56

WEP Flaws in Confidentiality (2)

Flaw 2: IV initialization & incrementing– Many implementations initialize IV with 0 on startup

& incremented by 1 for each next msg• If several devices are switched nearly simultaneously, all

use the same sequence of IVs• If they all use the same secret key (which is the common case for

a default key for a group of devices under a single AP), then same key streams (pseudo-random sequences) used for encryption

=> An attacker does not need to wait for msgs using repeated key streams (due to using up all IV values)

• Gets messages encrypted with the same key stream immediately

57

WEP flaws in Confidentiality (3)

Flaw 3 (total collapse of WEP): Weak RC4 keys– For weak keys (some seed values), the beginning of the

RC4 output is not really random• One can infer the bits of the seed from the first

few bytes of the RC4 output=> breaking the key is made easier

– Crypto experts suggest: always throw away the first 256 bytes of the RC4 output…

– … but WEP doesn’t do that

58

WEP flaws in Confidentiality (4)

Flaw 3 (total collapse of WEP): Weak RC4 keys – cont.

– Due to the use of ever-changing IV values, eventually a weak key will be used• Attacker will know that

– Because IVs are sent in the clear (see Fig. 1.3)

- WEP encryption can be broken:- by automatic key-cracking tools!- after eavesdropping on only k * 100,000 of

msgs!

– This is the most serious flaw• Since breaking WEP means finding out the

secret key! (see Fig. 1.3)

– Can read and fake messages at will

59

b.2.3. WEP – Lessons learnt

1. Engineering security protocols is difficult– One can combine otherwise strong building blocks

in a wrong way & obtain an insecure system at the end• Example 1:

– Stream ciphers (e.g., RC4) alone are OK– Challenge-response protocols for

authentication are OK– But they shouldn’t be combined (as in WEP)

• Example 2:– Encrypting a msg digest (such as CRC) to obtain

an ICV is a good principle– But it doesn’t work if the message digest

function is linear w.r.t. the encryption function (as is the case for CRC, which is linear w.r.t. the XOR function used for encryption in WEP)

60

WEP – Lessons learnt

1. Engineering security protocols is difficult – cont.

– Use help of a security expert — don’t do it alone (unless you are a security expert)

• Functional properties can be tested...• ...but security can’t be tested

- it is a non-functional property=> it is extremely difficult to tell if a system is secure or not

– Using an expert in the design phase pays out(fixing the system after deployment will be much more expensive)

• experts will not guarantee that your system is 100% secure...

• ...but at least they know many pitfalls• they know the details of crypto algorithms

2. Avoid the use of WEP (as much as possible)

61

b.3. Overview of 802.11i

After the collapse of WEP => IEEE started to develop a new security architecture => 802.11i & Robust Security Network (RSN)

Main novelties in 802.11i w.r.t. WEP– access control model is based on 802.1X– flexible authentication framework

• based on EAP – Extensible Authentication Protocol– authentication can be based on strong protocols

• e.g., TLS – Transport Layer Security– authentication process results in a shared session

key • prevents session hijacking

– different functions (encryption, integrity) use different keys derived from the session key using a one-way (hashing) function

– improved integrity protection– improved encryption

62

b.3. Overview of 802.11i (2)

802.11i defines RSN (Robust Security Network)

– integrity protection & encryption based on AES• not on RC4 anymore

– nice solution ...– ... but needs new hardware => can’t be adopted

quickly

In addition to RSN, 802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol)

– ugly solution ...... but no new hardware required

• runs on old hardware after a software upgrade

– confidentiality: encryption based on RC4• but WEP’s problems have been avoided

– integrity protection based on Michael (more on it later)

– authentication, access control, key management — same as in RSN

63

b.3. Overview of 802.11i (3)

Industrial names(industry, eager to fix WEP’s flaws, didn’t wait till 802.11i architecture was finalized by IEEE. It quickly produced its own specs, hence had to use different names.)

– For TKIP: WPA (WiFi Protected Access)– For RSN: WPA2

Chronology [Wikipedia]– WEP security specification is a part of the IEEE

802.11 standard ratified in Sept. 1999– RSN & TKIP are defined in IEEE 802.11i, draft

standard ratified in June 2004

64

b.3.1. Authentication and access control in 802.11i

Authentication and access control in 802.11i – Borrowed from the 802.1X standard

• 802.1x originally for wired LANs

802.1X authentication & access control model – next slide

65

802.1X authentication model

supplicantsupplicant servicesservices authenticatorauthenticator authenticationserver

authenticationserver

LAN

authenticator systemsupplicant sys auth server sys

port controls

the supplicant requests access to the services (wants to connect to the network)

the authenticator controls access to the services (controls the state of a port)

the authentication server authorizes access to the services– the supplicant authenticates itself to the authentication

server (via the authenticator)– if the authentication is successful:

• the authentication server instructs the authenticator to switch the port on

• the authentication server informs the supplicant that access is allowed

66

Mapping the 802.1X model to WiFi Mapping 802.1X to WiFi :

– supplicant = STA (mobile device)

– authenticator = AP (access point)

– authentication server = server application running on AP or on a dedicated machine

– port = logical state implemented in software in the AP

One more thing added to the basic 802.1X model in 802.11i:– successful authentication results not only in

switching the port on– also in defining a session key between STA

(supplicant) and the authentication server• the session key is sent to the AP (authenticator) in a

secure way– using a shared key between the AP and the

authentication server– this key is usually set up manually

67

Protocols – RADIUS, EAPOL, and EAP

RADIUS = Remote Access Dial-In User Service [RFC 2865-2869, RFC 2548]

– to carry EAP messages (next) between auth server & AP (next)

• MS-MPPE-Recv-Key attribute is used to transport the session key from auth server to AP

– RADIUS is mandatory for WPA & optional for RSN

EAPOL = EAP over LAN [802.1X]

– to carry EAP messages (next) between STA & AP– to encapsulate EAP messages into LAN protocols

• e.g., into Ethernet protocols

68

Summary of the protocol architecture

TLS (RFC 2246)TLS (RFC 2246)

EAP-TLS (RFC 2716)EAP-TLS (RFC 2716)

EAP (RFC 3748)EAP (RFC 3748)

EAPOL (802.1X)EAPOL (802.1X)

802.11802.11

EAP over RADIUS (RFC 3579)EAP over RADIUS (RFC 3579)

RADIUS (RFC 2865)RADIUS (RFC 2865)

TCP/IPTCP/IP

802.3 or else802.3 or else

STA AP auth server

IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]

69

Protocols – RADIUS, EAPOL, and EAP (2)

EAP = Extensible Authentication Protocol [RFC 3748]

– carrier protocol - to transport the messages of “real” authentication protocols (e.g., TLS)

– very simple, with four types of messages:• EAP request – carries messages from the

supplicant to the authentication server• EAP response – carries messages from the

authentication server to the supplicant• EAP success – signals successful authentication• EAP failure – signals authentication failure

– authenticator (AP) doesn’t understand what is inside the EAP messages• it recognizes only EAP success and EAP failure

70






802.11802.11



TCP/IPTCP/IP


STA AP auth server


71

Protocols – RADIUS, EAPOL, and EAP(3)

EAP-TLS = TLS over EAP [RFC 2716]

– for server & client authentication, generation of master secret

– only the TLS Handshake Protocol is used– TLS master secret becomes the session key– mandatory for WPA & optional for RSN

72






802.11802.11



TCP/IPTCP/IP


STA AP auth server


73

SKIP- Summary of the 802.11i protocol architecture

74

EAP in action

APSTA auth server

EAP Request (Identity)

EAP Response (Identity) EAP Response (Identity)

EAP Request 1EAP Request 1

EAP Response 1 EAP Response 1

EAP SuccessEAP Success

EAP Request nEAP Request n

EAP Response n EAP Response n

...

...

em

bedded a

uth

. pro

toco

l

EAPOL-Start

encapsulated in EAPOL

encapsulated in EAP over RADIUS

75

b.3.2. Key management

Pairwise master key (PMK) = the session key established between STA & AP as a result of the authentication procedure– “Pairwise” since known only to STA & AP

• Known also to auth server (AS) - not counted since AS is a trusted entity

– “Master” bec. not used directly – used to generate encryption & integrity keys

Four keys derived from PMK are called the pairwise transient key (PTK) (in singular!)

– Data-encryption key (DEK)– Data-integrity key (DIK)– Key-encryption key (KEK)– Key-integrity key (KIK)

76

b.3.2. Key management (2)

Special case: AES-CCMP – used in RSN (more on it later)

– Three keys only in its PTK (pairwise transient key)

• DEK = DIK• KEK• KIK

77

Four-way handshake protocol

Objective:– AP & STA exchange their random #s

• to be used in PTK generation

– Proves to AP/STA that the other party also knows PMK (result of authentic’n)

78

Four-way handshake protocol (2) The protocol: (its msgs are carried by EAPOL)

AP: generate Anonce (nonce is a random #)

1) AP STA: ANonce | KeyReplayCtr (Ctr = counter)

STA: generate SNonce and compute PTK2) STA AP: SNonce | KeyReplayCtr | MICKIK

(above msg includes info needed by AP for computing PTK) AP: compute PTK, generate GTK & verify

MIC (using KIK to verify MIC)

(a successful MIC verific proves to AP that STA has PMK)

3) AP STA: ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK

STA: verify MIC and install keys (a successful MIC verific proves to STA that AP has PMK;

also, this msg signals that AP is ready to install the keys => ready for encrypting subsequent packets)

4) STA AP: KeyReplayCtr+1 | MICKIK

(ACK to AP that STA got the msg (3) from AP AP: verify MIC and install keys

MICKIK = Message Integrity Code (computed by the mobile device using KIK)

KeyReplayCtr = a counter used to prevent replay attacks

79

Four-way handshake protocol (3)

From now on, data packets sent between STA and AP are protected by DEK & DIK

They don’t protect msgs broadcast by AP to “its” STAs– Bec. keys for broadcast msgs must be known to all

STAs to which AP wants to broadcast=> need group transient key (GTK) (next)

80

Group transient key (GTK)

Group transient key (GTK)

– GTK includes:• group-encryption key (GEK)• group-integrity key (GIK)

– GTK sent to each STA separately• encrypted with KEK of this single STA

81

Key hierarchies (summary)

PMK (pairwise master key)

PTK (pairwise transient keys):- key encryption key- key integrity key- data encryption key- data integrity key

(128 bits each)

GTK (group transient keys):- group encryption key- group integrity key

802.1X authentication

key derivationin STA and AP

random generationin AP

GMK (group master key)

key derivationin AP

pro

tectio

n

transportto every STA

unicast message transmittedbetween STA and AP

broadcast messages transmittedfrom AP to STAs

pro

tectio

n

pro

tectio

n

82

b.3.3. TKIP and AES-CCMP Recall:

1) 802.11i specs define security architectures: * Old sec architecture (flawed) - protocol: WEP WEP security specification is a part of the IEEE 802.11 standard (Sept.’99 )

* New sec architecture - protocols: Supersedes WEP, defined as IEEE 802.11i, draft standard ratified in

June’04,

+ RSN - uses AES cipher (instead of RC4 cipher)

- needs new h/w+ TKIP (optional protocol) - uses RC4 cipher

- uses old h/w

2) Industry specs define security architectures: + WPA (WiFi Protected Access) - based on TKIP + WPA2 - name used for RSN by many WiFi manufacturers

[Wikipedia]

[Wikipedia]

83

TKIP and AES-CCMP

Summary: AES used in RSN (=WPA2)

RC4 used in TKIP & WPA

84

TKIP

TKIP runs on old hardware (that supports RC4), but ...

...WEP weaknesses are corrected by TKIP– TKIP fix for integrity: Michael - new msg integrity

protection mechanism• MIC (Message Integrity Code) value is added at SDU

level (service data unit level) before fragmentation into PDUs

- that is, MIC value added to data received by MAC layer from higher layers before these data are fragmented

• implemented in the device driver (in software)

85

TKIP (2)

– TKIP fix for confidentiality: (recall: IV used as a replay counter)

• to fix IV reuse problem: increase IV length to 48 bits (from 24 bits)

• to fix weak keys problem: use per-packet keys (prevents attacker from observing a sufficient # of msgs encrypted with the same, potentially weak, key)

next sl.: new IV mechanism & generation of msg keys

86

TKIP – Generating RC4 keys

IV DEK (data encryption key) from PTK

key mix(phase 1)

key mix(phase 1)

key mix(phase 2)

key mix(phase 2)

lower16 bits

upper32 bits

128 bits

48 bits

MAC address

per-packet keyIV

3x8 = 24 bits 104 bit

IVd

dum

my b

yte

RC4 seed value(128 bits)

Recall:- IV size in TKIP is increa-sed from 24 to 48 bits.

- This creates difficulty:the old WEP hardware still expects a 128-bit RC4 seed value. => 48-bit IV & 104-bit key must be compressed into 128 bits.

The figure shows how this is done, that is shows generating RC4 seed values keys

87

AES-CCMP (used in RSN)

AES = AES cipher algorithm CCMP = CTR mode + CBC-MAC

– encryption based on CTR mode (using AES – next slide)– integrity protection based on CBC-MAC (using AES -

below)

SKIP- Calculation of CBC-MAC– CBC-MAC is computed over the MAC header, CCMP

header, and the MPDU (fragmented data)– mutable fields are set to zero– input is padded with zeros if length is not multiple

of 128 (bits)– CBC-MAC initial block:

• flag (8)• priority (8)• source address (48)• packet number (48)• data length (16)

– final 128-bit block of CBC encryption is truncated to (upper) 64 bits to get the CBC-MAC value

88

AES-CCMP

SKIP- CTR mode encryption– MPDU and CBC-MAC value is encrypted, MAC

and CCMP headers are not– format of the counter is similar to the CBC-MAC

initial block• “data length” replaced by “counter”• counter initialized with 1

and incremented after each encrypted block

89

SKIP- b.3.3. Bluetooth

P. 27 - 31

90

b.4. Summary of WiFi security Security always considered important for WiFi Early solution based on WEP

– seriously flawed– not recommended to use

802.11i - the new security standard for WiFi– access control model based on 802.1X– flexible authentication based on:

• EAP• upper layer authentication protocols (e.g., TLS, GSM

authentication)

– improved key management– TKIP

• uses RC4 => runs on old hardware…• … but corrects WEP’s flaws• mandatory in WPA, optional in RSN (=WPA2)

– AES-CCMP• uses AES in CCMP mode (CTR mode and CBC-

MAC)• needs new hardware that supports AES

91

Recommended books

V. Niemi and K. Nyberg. UMTS Security. Wiley, 2003 J. Edney, W. Arbaugh. Real 802.11 Security: WiFi

Protected Access and 802.11i. Addison-Wesley, 2004.

Caution: books describing standards age very quickly (especially in this field) !

92

THE END

93

94

95

SKIP- Generation of the authentication vectors

(by the Home Environment)Generate SQNGenerate SQN

Generate RANDGenerate RAND

f1f1 f2f2 f3f3 f4f4 f5f5

K

AMF

MAC (Message Authentication

Code)

XRES(Expected

Result)

CK(Cipher

Key)

IK(Integrity

Key)

AK(Anonymity

Key)

Authentication token: : ( )

Authentication vector: :

AUTN SQN AK AMF MAC

AV RAND XRES CK IK AUTN

〓〓〓〓〓〓

Authentication token: : ( )

Authentication vector: :

AUTN SQN AK AMF MAC

AV RAND XRES CK IK AUTN

〓〓〓〓〓〓

AMF: Authentication and Key Management Field

96

SKIP- More about the authentication andkey generation function

In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN).

f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set,

called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1…f5* is

based on the Rijndael algorithm

97

rotateby r4

OPc

c4

EK

OPc

rotateby r2

OPc

c2

EK

OPc

rotateby r3

OPc

c3

EK

OPc

rotateby r5

OPc

c5

EK

OPc

rotateby r1

OPc

c1

EK

OPc

EK

SQN||AMF OPc

EKOP OPc

f1 f1* f5 f2 f3 f4 f5*

RAND

SKIP- Authentication and key generation functions f1…f5*

OP: operator-specific parameterr1,…, r5: fixed rotation constantsc1,…, c5: fixed addition constants

OP: operator-specific parameterr1,…, r5: fixed rotation constantsc1,…, c5: fixed addition constants

EK : Rijndael block cipher with 128 bits text input and 128 bits key

EK : Rijndael block cipher with 128 bits text input and 128 bits key

98

COUNT || FRESH || MESSAGE ||DIRECTION||1|| 0…0

KASUMIIK KASUMIIK KASUMIIK KASUMIIK

KASUMIIK KM

PS0 PS1 PS2 PSBLOCKS-1

MAC-I (left 32-bits)

SKIP- f9 integrity function

• KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits)• PS: Padded String• KM: Key Modifier

• KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits)• PS: Padded String• KM: Key Modifier

99

SKIP- Ciphering method

f8f8

KEYSTREAM BLOCK

CK

BEARER

COUNT-C

LENGTH

DIRECTION

PLAINTEXTBLOCK

f8f8

KEYSTREAM BLOCK

CK

BEARER

COUNT-C

LENGTH

DIRECTION

PLAINTEXTBLOCK

CIPHERTEXTBLOCK

Sender(Mobile Station or

Radio Network Controller)

Receiver(Radio Network Controller

or Mobile Station)

BEARER: radio bearer identifierCOUNT-C: ciphering sequence counter

BEARER: radio bearer identifierCOUNT-C: ciphering sequence counter

100

KASUMI KASUMI KASUMI KASUMIKASUMICK KASUMICK KASUMICK KASUMICK

KASUMICK KM

KS[0]…KS[63]

Register

KS[64]…KS[127] KS[128]…KS[191]

BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1

COUNT || BEARER || DIRECTION || 0…0

SKIP- f8 keystream generator

KM: Key ModifierKS: Keystream

KM: Key ModifierKS: Keystream

101

FL1 FO1

FO2 FL2

FO8 FL8

FO6 FL6

FO4 FL4

FL7 FO7

FL3 FO3

FL5 FO5

KL1

KO2 , KI2

KO3 , KI3

KO5 , KI5

KO6 , KI6

KO4, KI4

KO7 , KI7

KO8 , KI8

KO1 , KI1

KL2

KL3

KL4

KL5

KL6

KL7

KL8

L0

32R0

32

C

Fig. 1 : KASUMI

R8L8

FIi1

FIi2

FIi3

S9

S9

S7

S7

<<<

<<<

Fig. 2 : FO Function Fig. 3 : FI Function

Zero-extend

truncate

Zero-extend

truncate

Bitwise AND operation

Bitwise OR operation

One bit left rotation<<<

Fig. 4 : FL Function

KOi,3

KOi,2

KOi,1

KIi,1

KIi,2

KIi,3

KIi,j,1

KIi,j,2

64 32 1616 16 9 7

3216 16

KLi,1

KLi,2

SKIP- Detail of Kasumi

KLi, KOi , KIi : subkeys used at ith roundS7, S9: S-boxes

KLi, KOi , KIi : subkeys used at ith roundS7, S9: S-boxes

102

SKIP- Signaling integrity protection method

f9f9

MAC-I

IK

SIGNALLING MESSAGE

COUNT-I

FRESH

DIRECTION

Sender(MS or

Radio Network Controller)

f9f9

XMAC-I

IK

SIGNALLING MESSAGE

COUNT-I

FRESH

DIRECTION

Receiver(Radio Network Controller

or MS)

FRESH = random inputFRESH = random input

103

SKIP- Protocols – LEAP, EAP-TLS, PEAP, EAP-SIM

LEAP (Light EAP)– developed by Cisco– similar to MS-CHAP extended with session key transport

EAP-TLS (TLS over EAP)– only the TLS Handshake Protocol is used– server and client authentication, generation of master secret– TLS maser secret becomes the session key– mandated by WPA, optional in RSN

PEAP (Protected EAP)– phase 1: TLS Handshake without client authentication– phase 2: client authentication protected by the secure channel

established in phase 1

EAP-SIM– extended GSM authentication in WiFi context– protocol (simplified) :

STA AP: EAP res ID ( IMSI / pseudonym )STA AP: EAP res ( nonce )AP: [gets two auth triplets from the mobile operator’s AuC]AP STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc )STA AP: EAP res ( 2*SRES )AP STA: EAP success

Documents

Chapter 1 The security of existing wireless networks a.Security of cellular networks b.WiFi Security: WEP, WPA, and WPA2 Security and Cooperation in Wireless