session_11_wireless_security_103008 - Wireless Security...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Wireless Security Cryptography and Network Security TECH 6350 Session 11 Wireless Security Manuel Mogollon m_mogollon@verizon.net Graduate School of Management Information Assurance University of Dallas 0 Wireless Security Session 12 – Contents • Types of Wireless Networks — Wireless Metropolitan Area Networks (WMAN) - WiMax — Wireless Local Area Networks (WLAN) / Wi-Fi — Wireless Personal Area Network (WPAN) – Bluetooth — Low-Rate Wireless Personal Area Network (LR-WPAN) – Zigbee Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 1 1 Wireless Security The Wireless Landscape Low-Rate Wireless Personal Area LowNetwork (LR-WPAN) (LR• General-purpose, inexpensive, Generalself-organizing mesh network. self• Low data rates and low power consumption; a year or two with a single alkaline battery. Wireless Wide Area Network (WWAN) • Metro/Geographical area • “Always On” Services On” • Ubiquitous public connectivity with private virtual networks Wireless Personal Area Network (WPLAN) • Small form factor, low-cost, lowshort range, low power, radio technology. • Developed to link portable devices without cables. • Non-licensed spectrum Non- Fixed/ Desktop Zigbee Bluetooth Level of Mobility 0.1 0.25 Wireless WIMAX 2 • • • WIMAX (MIMO) Walk 4G 802.11n (MIMO) Within Campus Fixed CDMA2000 3XRT Walk CDMA2000 1XRT Outside Campus Vehicle 54 78 Wi-Fi Wireless Local Area Nework (WLAN), and Wireless Metropolitan Area Network (WMAN), Public or Private Site or Campus Enterprise. Non-licensed spectrum Non- LAN 200 1000 Mbps Bluetooth M. Mogollon – 01/08 - 2 • When talking about wireless data communications, there are three primary categories of networks: Wireless Metropolitan-Area Network (WMAN), Wireless Local Area Network (WLAN), and Wireless Personal Area Network (WPAN). The terms WIMAX and Wi-Fi are used instead of WMAN and WLAN respectively. • The Worldwide Interoperability for Microwave Access (WIMAX™) brand was created by the WiMAX Forum™, which is working to facilitate the deployment of broadband wireless networks based on the IEEE 802.16 standard. It achieves this by helping to ensure the compatibility and inter-operability of broadband wireless access equipment. The organization is a global, nonprofit association formed in June of 2001 by equipment and component suppliers to promote IEEE 802.16 compliant equipment. WiMAX technology enables the delivery of last mile wireless broadband access as an alternative to cable and DSL. • WIMAX is similar to WI-FI in the sense that both create hot-spots around a base station, but WIMAX has a wider range, up to 25 to 30 miles. • A WLAN or Wi-Fi can be used to connect computers to each other, to the Internet, and to wired networks. The Wi-Fi ™ (Wireless Fidelity) brand was created by the Wi-Fi Alliance. The organization is a global, nonprofit association formed in 1999 to certify the interoperability of IEEE 802.11 products, as well as to promote 802.11 standards as the global, wireless LAN standards across all market segments. The Wi-Fi Alliance has instituted a test suite to certify Wi-Fi products’ interoperability. Wi-Fi networks use radio technologies based on the IEEE 802.11a, 802.11b, and 802.11g standards. • A Wireless Personal Area Network (WPAN) uses a low cost, short-range wireless specification called Bluetooth to connect mobile devices. The Bluetooth Special Interest Group (SIG), created in September 1998, is a trade association comprised of leaders in the telecommunications, computing, automotive, industrial automation, and network industries. The objective of SIG is to drive the development of Bluetooth wireless technology. The Bluetooth SIG name was inspired by Danish King Harald Bluetooth, known for unifying Denmark and Norway in the 10th century. 2 Wireless Security Wireless Networks Network Standard Range Data Rate WMAN (Wireless Metropolitan Area IEEE 802.16I Network) - WIMAX Approximately 30 miles radius 78 Mbps WLAN (Wireless Local Area Network) – WiFi IEEE 802.11 Approximately 300 feet radius 54 Mbps WPAN (Wireless Personnal Area Network) – Bluetooth IEEE 802.15 Approximately 30 feet radius 1, 2, or 3 Mbps LR-WPAN (Low-Rate Wireless Personal Area Networks) – Zigbee IEEE 802.15.4 Approximately 150 feet radius 250 Kbps Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 3 3 Wireless Security WIMAX • WIMAX is very similar to a Wi-Fi but it operates at higher speeds, over greater distances, and for a greater number of users. • From the point of view of the infrastructure, a WiMAX network is similar to a cellular network. — A based station covers a very large area and can simultaneously operate as a subscriber station and as a base station in a full mesh network using a line-of-sight link. — A subscriber station, which could be a small WIMAX receiver box, or a mobile station. • WIMAX operates in two primary bands, the 10-66 GHz band used where line-of sight is necessary, and the licensed and un-licensed frequencies of 2 – 11 GHz for those physical environments where line-of-sight is not necessary. • WIMAX also supports subscriber stations moving at vehicular speeds. — The spectrum at 2.5 GHz and below (2.5 GHz, 1.5GHz, 700MHz, etc.) is used because it has better characteristics for full mobility deployment. • WIMAX throughput is around 38 Mbit/sec when using orthogonal frequency division multiplexing (OFDM), and 78 Mbit/sec when OFDM is combined with multiple-input multiple-output (MIMO) antenna processing technology. • WiMAX expands the availability of broadband service to residences, businesses and other locations with a high cost of wire deployment. — Low-density rural locations in developed countries — Emerging markets where user connectivity is sporadic. Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 4 • WIMAX is a fixed and mobile broadband wireless access system that can operate as a wireless metropolitan area network and deliver Internet access at distances across tens of miles and at a cost similar to IEEE 802.11 (Wi-Fi). The 802.16 standard on which WIMAX is based was designed from the ground up to be truly broadband and packet-based. WIMAX provides a wireless alternative to cable and DSL for last mile (last km) broadband access. • A WIMAX network is very similar to a Wi-Fi network, but it operates at higher speeds, over greater distances, and for a greater number of users. From the point of view of the infrastructure, a WIMAX network is similar to a cellular network: it consists of a single WIMAX tower that covers a very large area called a base station (BS) and a subscriber station (SS), which could be a small WIMAX receiver box, or mobile station. The receiver box can be installed inside or outside of a building or house. • The WIMAX tower node can simultaneously operate as a subscriber station and as a base station in a full mesh network using a line-of-sight link. Using this technology, there are currently several cities worldwide that are implementing WIMAX mesh networks using various base stations as backhauls to cover the whole city. These networks connect one or several of the base stations to an Internet backbone via a microwave link or by fiber optic cable. • The original WIMAX standard (2001) 802.16, “Fixed Wireless Broadband and Air Interface,” used the spectrum in the 10 - 66 GHz. The 802.16-2004 standard, “Air Interface for Fixed Broadband Wireless Access Systems,” consolidated 802.16, 802.16a, and 802.16c. The 802.16-2004 specifies two primary bands, the 10-66 GHz band to use where line-of-sight is necessary, and the licensed and un-licensed frequencies of 2 – 11 GHz for those physical environments where line-of-sight is not necessary. • In the line-of-sight service, a fixed dish antenna located on the roof or on a pole, points straight at the WiMAX tower. The higher frequencies in 10-66 GHz allow transmission with fewer errors, less interference, and more bandwidth. The target customers for these services are large carriers, as well as cities and enterprises. In the non-line-of-sight, 2 – 11 GHz spectrum, the subscriber station can be located inside a house or building and, because of the lower frequencies used, the transmission is not obstructed by physical locations. 4 Wireless Security WIMAX Network Subscriber Station Subscriber Station Line of sight, 10 – 66 GHz band, 38 to 78 Mbit/sec Subscriber Station Base Station 1 Fiber Optics Base Station 2 Subscriber Station Carrier Base Station 1 is acting as client to Base Station 2 Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 5 5 Wireless Security WIMAX Security • WIMAX provides subscribers with privacy, authentication, and confidentiality across the broadband wireless network. • WIMAX security has three component protocols as follows: — Secure encapsulation of the data exchanged. — Authentication for the subscriber station (SS) to obtain authorization and traffic keying material from the base station (BS); also supports periodic reauthorization and key refresh. — A privacy key management protocol (PKM) to provide the secure distribution of keying data from the BS to the SS. Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 6 • WIMAX security provides subscribers with privacy, authentication, and confidentiality across the broadband wireless network. It does this by applying cryptographic transformations to the data carried between the BS and the SS, either fixed or mobile. • In addition, WIMAX security provides operators with strong protection from theft of service. The BS protects against unauthorized access to data transport services by securing the associated service flows across the network. For key management, WIMAX employs an authenticated client/server key management protocol in which the BS, the server, controls the distribution of keying material to an SS. Additionally, the basic security mechanisms are strengthened by adding digital-certificates to the key management protocol for device-authentication of the SS or mobile station. • In WIMAX and in Wi-Fi, the unit of data exchanged between two peer entities to implement the access control management protocol is called Medium Access Control Management Protocol Data Unit (MPDU). The MPDU term is used in this chapter when describing the data exchanged between a base station and a subscriber station or mobile station, in the case of WIMAX, or between a client and the access point, in the case of Wi-Fi. 6 Wireless Security WIMAX Key Generation • The Privacy Key Management authentication protocol establishes a shared secret key, called an Authorization Key (AK), between the SS and the BS. • Either RSA or EAP methods are used to generate the AK (Slide 8) • The Authorization Key is then used, by both the BS and the SS, to generate MAC Keys, HMAC Keys and Key Encrypting Keys (KEK). (Slide 9). • The KEK is used to encrypt keys for transport from the BS to the SS. • The BS randomly generates the Traffic Encryption Key (TEK), enciphers it using KEK, and sends it to the SS in the TEK exchange. KEK and TEK have 128-bit lengths. The TEK-128 is encrypted with AES Key Wrap. (Slide 10). Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 7 • The Privacy Key Management (PKM) authentication protocol establishes a shared secret key called an Authorization Key (AK) between the SS and the BS. The shared AK is then used to secure subsequent PKM exchanges of Traffic Encryption Keys (TEKs). This two-tiered mechanism for key distribution permits refreshing of TEKs without incurring the overhead of computation-intensive operations. • With the AK exchange, the BS authenticates the identity of a SS and the services the SS is authorized to access. By doing this, the BS associates an SS authenticated identity to a paying subscriber, and to the data services that the subscriber is authorized to access. • There are two privacy key management protocols supported in IEEE 802.16e PKMv1 and PKMv2. PKMv2 has more enhanced features such as a new key hierarchy, AES-CMAC, AESkey-wraps, and multicast and broadcast services (MBS). • In PKMv2, there are two authentication schemes, one based on RSA and one based on EAP; therefore, there are two primary sources of keying material. The keys used to protect message integrity and transport the traffic encryption keys are derived from source key material generated by the authentication and authorization processes. • The traffic-key management portion of the PKM protocol adheres to a client/server model, where the SS (a PKM client ) requests keying material, and the BS (a PKM server ) responds to those requests, ensuring that individual SS clients receive only the keying material for which they are authorized. 7 Wireless Security WIMAX Key Generation MSK -512-bit Primary Authorization Key transferred to SS by EAP method during the authentication exchange Pre-PAK – 256-bit Primary Authorization Key transferred from BS to SS using RSA during the authorization process MSK Pre-PAK Truncate (MSK, 160) PAK (160 bits) Optional EIK Dot16KDF (pre-PAK, SS MAC Address|BSID| EIK+PAK, 320) EIK (160 bits) PAK (160 bits) PMK EIK Dot16KDF (PMK, SS MAC Address|BSID| AK, 160) Dot16KDF (PAK, SS MAC Address|BSID| AK, 160) AK AK MSK= Master Session Key PMK= Pairwise Master Key AK = Authorization Key Wireless PAK WIMAX PAK = Primary Authorization Key EIK = EAP Integrity Key AK = Authorization Key Wi-Fi Bluetooth M. Mogollon – 01/08 - 8 Primary Authorization Key (PAK) • The RSA-based authorization process yields the Pre-Primary Authorization Key (pre-PAK), which is one of the possible roots of the key hierarchy. The pre-PAK is sent by the BS to the SS encrypted with the public key of the SS certificate. Pre-PAK is mainly used to generate the primary authorization key (PAK). The optional EAP Integrity Key (EIK) used to authenticate the EAP payload is also generated from pre-PAK. Master Session Key (MSK) • If an RSA mutual authorization took place before the EAP exchange, the EAP messages may be protected using EIK-EAP Integrity Key derived from pre-PAK. • The result of the EAP exchange between the BS and SS is the master session key (MSK), which is the other possible root of the key hierarchy. After the exchange, MSK is known to the AAA server, to the authenticator (transferred from AAA server), and to the SS. The SS and the authenticator derive a pairwise master key (PMK) and optional EIK by truncating the MSK to 320 bits. MSK has a 512-bit length; PMK and EIK have a 160-bit length. Authorization Key (AK) • Independent of whether RSA or EAP authentication is used, the AK is derived by the BS and the SS from the PMK (from EAP-based authorization procedure) and/or the PAK (from RSA-based authorization procedure). The AK has 160-bit length. 8 Wireless Security WIMAX Key Hierarchy AK – 160-bit Authentication Key (AK) context MAC Mode CMAC Dot16KDF (AK, SS MAC Address|BSID| CMAC_KEYS+KEK, 384) CMAC_KEY_U (128 bits) CMAC_KEY_D (128 bits) CMAC_KEY_U KEK (64 or 128 bits) CMAC_KEY_D KEK MAC = Message Authentication Code CMAC_KEY_U = Uplink CMAC Key CMAC_KEY_D = Downlink CMAC Key KEK = Key Encrypting Key Wireless WIMAX HMAC Dot16KDF (AK, SS MAC Address|BSID| HMAC_KEYS+KEK, 448) HMAC_KEY_U (160 bits) HMAC_KEY_U HMAC_KEY_D (160 bits) HMAC_KEY_D KEK (128 bits) KEK CMAC = Cipher MAC (MAC based on block cipher) HMAC_KEY_U = Uplink HMAC Key HMAC_KEY_D = Downlink HMAC Key KEK = Key Encrypting Key Wi-Fi Bluetooth M. Mogollon – 01/08 - 9 Message Authentication Keys (HMAC/CMAC) • MAC keys are used to sign messages in order to validate the authenticity of these messages. The message authentication keys used to generate the cipher-based MAC (CMAC) value (Dworkin, 2005) and the HMAC digest are derived from the AK. The HMAC has a 160-bit length and CMAC has a 128-bit length. • A CMAC is a message authentication code (MAC) algorithm that is based on a symmetric key block cipher. CMAC is specified in Special Publication 800-38B “Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication”. The downlink authentication keys CMA_KEY_D and HMAC_KEY_D are used to authenticate messages in the downlink direction. The uplink authentication key CMA_KEY_U and HMAC_U are used to authenticate messages in the uplink direction. Key Encrypting Key (160 bits) and Traffic Encryption Key • Another key, the key encrypting key (KEK), is derived directly from the AK by both the BS and the SS. The KEK is used to encrypt keys for transport from the BS to the SS. In addition, the BS randomly generates the traffic encryption key (TEK), enciphers it using KEK, and sends it to the SS in the TEK exchange. KEK and TEK have a 128-bit length. The TEK-128 is encrypted with AES key wrap. • The BS and SS maintain two sets of TEKs and their associated initialization vectors (IVs) per security association identifier (SAID), corresponding to two successive generations of key materials. The two TEKs have overlapping lifetimes. 9 Wireless Security WIMAX TEK and Group Keys Derived by the BS KEK RNG TEK Send to SS Encryption KEK RNG GKEK Send to SS Encryption GKEK RNG GTEK Send to SS Encryption RNG = Random Number Generator TEK = Traffic Encrypting Key (64 or 128 bits) GKEK = Group Key Encryption Key GTEK = Group Traffic Encrypting Key Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 10 Group Key Encrypting Key and Group Traffic Encryption Key • The BS also randomly generates another key, the group key encrypting key (GKEK), which it enciphers using KEK and sends to all the subscriber stations in the group security association (GSA). GKEK is used to encrypt the group traffic encryption key (GTEK), which is sent in multicast messages by the BS to the subscriber stations in the same multicast group. 10 Wireless Security Security Associations • Security associations in WIMAX are used in the same way and have the same meaning as the security associations used in IPSec, as well as the security capabilities used in TLS and SSL. • A Security Association (SA) associates the security parameters with the traffic to be protected. • Once the SA for a specific connection is defined, it is assigned an identifier, the Security Association ID (SAID). • When a connection is established between a BS and an SS, the two need to agree on, among other things, the following: — The encryption and authentication algorithms. — The crypto keys, the key sizes, and key lifetimes. — How to exchange keys, the initialization values, and other related security parameters. Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 11 • Security associations in WIMAX are used in the same way and have the same meaning as the security associations used in IPsec; they also have the same security capabilities used in TLS and SSL. A security association (SA) associates the security parameters with the traffic to be protected. Another way to define an SA is to say that an SA describes the security parameter information agreed upon between a sender and a receiver on how to secure a communication –in the case of WIMAX, between a BS and a SS. • When a connection is established between a BS and an SS, the two need to agree on, among other things, the encryption and authentication algorithms, the crypto keys, the key sizes, key lifetimes, how to exchange keys, the initialization values, and other related security parameters. Once the SA for a specific connection is defined, it is assigned an identifier, the security association ID (SAID). • There are three types of SAs in WIMAX: unicast connections, GSA for multicast groups, and MBSGSA for MBS services. The unicast SAs can be primary, static, and dynamic. In general, the following is the information contained in a SA: • The SAID, a 16-bit identifier of the SA. • The KEK, a 128-bit key encryption key derived from the AK. • The TEK, 128-bit traffic encryption key, generated within the BS and transferred from the BS to the SS using a secure exchange. • The TEK’s lifetime. • PNO and PN32, a 32-bit packet number for use by the link cipher. • RxPN0 and RxPN1, a 32-bit received sequence counter, for use by the link cipher. 11 Wireless Security WIMAX Authorization and AK Exchange Subscriber Station • • • • Base Station Authentication Information The authentication information message is strictly informative. It contains the SS X.509 certificate. Authorization Request SS X.509 certificate. List of crypto suites (security associations’ IDs) supported by the SS. SS Connection Identifier (CID). Authorization Reply • • A pre-PAK or MSK encrypted with the SS public key. • • A key lifetime. A 4-bit sequence number used to distinguish successive generations of Pre-PAK or MSK. The SAID used by the SS to obtain keying information. Creating the PAK or PMK and AK) Authentication Key Wireless SS and BS create the PAK or PMK, and from the PAK or PMK derive the 160-bit AK. WIMAX Wi-Fi Authentication Key Bluetooth M. Mogollon – 01/08 - 12 • A BS authenticates a client SS during the initial authorization exchange. All SSs have factoryinstalled RSA private/public key pairs and X.509 certificates, or have an internal algorithm to generate such key pairs dynamically; They also have the means to create X.509 certificates. The digital certificate contains the SS’s public key and MAC address. When requesting an authorization key an SS presents its digital certificate to the BS. The BS verifies that the digital certificate is authentic, and then uses the verified public key to encipher an AK, which the BS then transmits back to the requesting SS. 12 Wireless Security WIMAX Re-Authentication & TEK Exchange Base Station Subscriber Station Creating CMAC or HMAC and KEK SS and BS create CMAC or HMAC and KEK Re-Authentication • • The SS sends re-authentication request signed by HMAC or CMAC. Key Request SS requests a TEK. Key Reply • The BS generates TEK as a random number and enciphers it using a wrapping algorithm keyed with the KEK. • • The BS sends the encrypted TEK to SS. SS deciphers the encrypted TEK using the wrapping algorithm keyed with KEK. BS and SS are ready to send encrypted information using the data encryption algorithm specified in the cipher suite keyed with TEK. Exchanged ciphertext messages are authenticated using HMAC or CMAC. Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 13 • From the AK, the SS and the BS create the key for the CMAC, HMAC, and the key encrypting key (KEK). When the service is ready to transmit and receive data, the SS requests a traffic encryption key (TEK) for the connection. Using a pseudorandom number generator, the BS generates a TEK. The TEK is encrypted using a wrapping algorithm keyed with the KEK and transmitted to the SS. The SS deciphers the encrypted TEK using the same wrapping algorithm keyed with KEK. • At this moment, the BS and the SS are ready to send encrypted information using the data encryption algorithm specified in the cipher suite keyed with TEK. Exchanged ciphertext messages are authenticated using HMAC or CMAC. • The AK and TEK have a limited lifetime and are periodically refreshed according to the authorized grace time and TEK grace time encoding. 13 Wireless Security WIMAX Cryptographic Suites Value Data Encryption Data Authentication TEK Exchange 0x000001 No data encryption No data authentication 3-DES, 128 3-DES, 128 0x010001 CBC-Mode 56-bit DES No data authentication 0x000002 No data encryption No data authentication RSA, 1024 0x010002 CBC-Mode 56-bit DES No data authentication RSA, 1024 0x020103 CCM-Mode 128-bit AES CCM-Mode, 128-bit ECB mode AES with 128-bit key 0x020104 CCM-Mode 128bits AES CCM-Mode AES Key Wrap with 128-bit key 0x030003 CBC-Mode 128-bit AES No data authentication ECB mode AES with 128-bit key 0x800003 MBS CTR Mode 128 bits AES No data authentication AES ECB mode with 128-bit key 0x800004 MBS CTR mode 128 bits AES No data authentication AES Key Wrap with 128-bit key All remaining values Reserved Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 14 • WIMAX uses two encryption algorithms to encipher data, DES in CBC mode and AES in CCM, CBC, or CTR modes. The type of encryption algorithm to use is designated in the data encryption algorithm identifier in the cryptographic suite. A cryptographic suite is the SA’s set of methods for data encryption, data authentication, and TEK exchange. The WIMAX cryptographic suites are listed in Table 14-2. • The AES CCM mode is defined in NIST “Special Publication 800-38C, FIPS-197,” and is explained in WLAN Security Enhancement, “CTR with CBC-MAC Protocol section.” The AES CBC mode is defined in NIST Special Publication 800-38A, FIPS-197 and is explained in Session 2, “Cipher Block Chaining (CBC) Mode.” 14 Wireless Security WIMAX AES Residual Termination Block Processing Pn Pn-1 + EK C + EK cn-2 Cn Cn-1 Ö DK DK b bits a bits Cn (b – a) bits Cn Ö Cn-1 Pn = Last plaintext block Cn = Last ciphertext block EK = Encryption with key K b = Block size Ö = Padded bits Wireless WIMAX Ö + Pn Pn-1 = Cn-1 = DK = a= C= cn-2 C + Pn-1 Next to last plaintext block Next to last ciphertext block Decryption with key K Number of bits in Pn Ciphertext of Ö Wi-Fi Bluetooth M. Mogollon – 01/08 - 15 • The AES-CBC residual termination is defined in 802.16-2005 as follows: • If the final short plaintext block is a bits, where a is less than the cipher block size b, the next to last plaintext is enciphered and the ciphertext block is divided into two parts. One of the parts is a bits and the other part is b – a bits. The b – a part of the ciphertext is concatenated with the padding used in the short plaintext and is sent as the final block cipher. The short plaintext block is padded to complete a plaintext block, encrypted with AES in CBC mode, and sent as the next-to-last ciphertext. • If the payload is less than the cipher block size, the most significant n bits of the generated CBC IV are XORed with the n bits of the payload to generate the short cipher block. • The AES CTR mode is defined in “NIST Special Publication 800-38A, FIPS-197” and is explained in Session 2, “Counter (CTR) Mode.” In the CRT mode, input blocks are blocks of bits called counters that must have the property that each counter block in the sequence is different from every other counter block. There are several methods to generate the counters. • In WIMAX, a 32-bit nonce is made of an 8-bit rollover counter (ROC) and the 24-bit synchronization field or frame number. The nonce is repeated four times to construct the 128-bit counter block required by the AES-128 cipher: initial counter = nonce || nonce || nonce || nonce. The 8-bit ROC is sent in clear and concatenated with the AES-CTR ciphertext. Therefore, the encryption process yields a payload that is 8 bits longer than the plaintext payload. • The NIST AES key wrap algorithm is designed to wrap or encrypt key data. The key wrap operates on blocks of 64 bits. Before being wrapped, the key data is parsed into n blocks of 64 bits. The only restriction the key wrap algorithm places on n is that n be at least two. It is recognized that n ≤ 4 will accommodate all supported AES key sizes. 15 Wireless Security Wireless LAN (WLAN) - WiFi WLAN Security Switch Subnet “B” Subnet “A” WLAN – AP WLAN – AP Roam From One to the other – AN WL AP – AN WL AP PDA PDA WLAN Mobile Adaptor Wireless Terminal WIMAX Terminal WLAN Mobile Adaptor Wi-Fi Bluetooth M. Mogollon – 01/08 - 16 • WLANs are normally privately owned networks that companies or individuals set up for the use of their employees or their own use. The WLAN data transfer rate is currently up to 54 Mb, but it has a limited coverage of up to approximately 300 feet. The range of current 802.11g technology can be improved threefold by using multiple transmitter and receiver antennas and by overlapping the signals of two wireless-G compatible radios, the Multiple In, Multiple Out (MIMO). MIMO also improves the data rate by yielding up to 8 times more throughput than Wireless-G. • Wireless networks have fundamental characteristics that make them significantly different from traditional wired LANs. The following describes some of those differences: • Communications are carried using radio transmission; some countries impose specific requirements for radio equipment and for the frequencies that can be used. • Since communications are radio broadcast, they need to be protected. • There are range limitations when using wireless networks that depend on the type of modulation, transmitting frequency, and type of antenna used. • Wireless communications must be able to handle mobile, as well as portable stations. A portable station is one that is moved from location to location, but that is only used while at a fixed location. A mobile station actually accesses the LAN while in motion, and may often be battery powered. Hence, power management is an important consideration. • A station needs to be associated with an access point. • It is possible to have one access point and many stations. Each station’s connection to the access point is independent and does not interfere with that of other stations. • Access points’ coverage may overlap. 16 Wireless Security IEEE 802.11 Standards IEEE 802.11 The original 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and IR standard (1999) IEEE 802.11a 54 Mbit/s, 5 GHz standard (2001) IEEE 802.11b Enhancements to 802.11 to support 5.5 and 11 Mbit/s (1999) IEEE 802.11c Bridge operation procedures; included in the IEEE 802.1D standard (2001) IEEE 802.11d International (country-to-country) roaming extensions (2001) IEEE 802.11e Enhancements: QoS, including packet bursting (2005) IEEE 802.11g 54 Mbit/s, 2.4 GHz standard (backwards compatible with b) (2003) IEEE 802.11h Spectrum Managed 802.11a (5 GHz) for European compatibility (2004) IEEE 802.11i Enhanced security (2004) IEEE 802.11n 802.11n builds upon previous 802.11 standards by adding MIMO (multiple-input multipleoutput) and orthogonal frequency-division multiplexing (OFDM). MIMO uses multiple transmitter and receiver antennas to allow for increased data throughput. IEEE 802.11p WAVE - Wireless Access for the Vehicular Environment (such as ambulances and passenger cars) IEEE 802.11s ESS Mesh Networking Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 17 • The standard for wireless LAN is the IEEE802.11, “Wireless LAN Medium Access Control and Physical Layer Specifications.” According to this document, the standard given defines the protocol and compatible interconnection of data communication equipment via radio or infrared. The standard also specifies that local area networks (LANs) use the Carrier Sense Multiple Access Protocol with the Collision Avoidance (CSMA/CA) medium sharing mechanism. The protocol includes authentication, association services, but confidentiality (encryption and decryption) is optional. • The medium access control is formatted as frames, and each frame consists of a header, a variable length frame body, and a frame check sum (FCS), which contains a cyclic redundancy code (CRC). The unit of data exchanged between two peer entities to implement the access control management protocol, as in WIMAX, is also called MPDU. The MPDU term is used when describing the data exchanged between a client and the access point. 17 Wireless Security IEEE 802.11 Security Services • Authentication — Open System — Shared Key • Confidentiality — WEP • Access control in conjunction with layer management. • Secure Roaming Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 18 • In a wired LAN, a hacker needs to be connected physically to the network to be able to monitor the LAN traffic, so even though wired LANs are physically closed and controlled networks, authentication, access control, and confidentiality are required security services. • In a wireless shared medium, any IEEE 802.11-compliant station can receive all traffic that is within range of the access point and can transmit to any other 802.11 station within range. Thus, the connection of a single wireless link (without privacy) to an existing wired LAN may seriously degrade the security level of the wired LAN. The wireless physically open-medium nature of an IEEE 802.11 wireless LAN makes authentication, access control, and confidentiality a must in its implementation. • The following are the security services provided in IEEE 802.11: 1. Authentication; 2. Confidentiality; 3. Access control in conjunction with layer management; and 4. Secure roaming. • IEEE 802.11 defines two subtypes of authentication service: open system and shared key. Open system authentication is the simplest of the available authentication algorithms. Essentially, it is a null authentication algorithm. Any station that requests authentication with this algorithm may become authenticated. The type of authentication is set at the access point, and in some products, the open system authentication is the default authentication algorithm. • In a shared-key authentication, identity is demonstrated by knowledge of a shared secret. During the shared-key authentication exchange, both the challenge and the encrypted challenge are transmitted. The challenge is encrypted using the shared secret, so only those stations who know the shared secret key are authenticated. The shared secret key needs to be loaded, via a secure channel, into the access point and into all stations that request access. Shared-key authentication is only available if the WEP option is implemented. • IEEE 802.11 provides the ability to encrypt the contents of messages. This functionality is provided by the optional Wired Equivalent Privacy (WEP), which, according to the standard, is not designed for ultimate security but rather to be at least as secure as wired networks. • The default privacy state for all IEEE 802.11 stations is in clear, and, if the privacy service is not invoked, all messages are sent unencrypted. Since many users didn’t know about or didn’t bother to change the setup, many WLAN were set to transmit in clear. 18 Wireless Security WEP Encapsulation Secret Key (40, 104, 232) RC4 || Initialization Vector (IV) 802.11 Frame Header Keystream Payload + Encrypted Payload ICV Key Number Encrypted Payload ICV || CRC-32 Header Integrity Check Value (ICV) IV WEP Frame Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 19 • The IEEE 802.11 WEP is a data confidentiality algorithm designated to protect authorized users of a wireless LAN from casual eavesdropping; WEP uses RC4, a symmetric encryption algorithm. Data confidentiality depends on an external key management service to distribute the key because the same key is used to encipher and to decipher. • The secret key is concatenated with an initialization variable (IV), and the resulting seed is input to RC4 to produce a key stream of k pseudorandom octets equal in length to the number of data octets that are to be transmitted. To protect against unauthorized data modification, an integrity algorithm operates on the plaintext to produce an integrity check value (ICV). The plaintext is concatenated with the ICV and the result is XORed with the RC4 pseudorandom keystream output. The ciphertext is then concatenated with the IV. • In WEP, each MPDU is considered a different message, so each MPDU is encrypted with a different key. However, in 802.11, there is no provision for key management, so there is no way for the access point and the client to exchange new keys to encipher each packet; nor can it be done in a situation, when packets are dropped, and it is necessary to re-synchronize the RC4 symmetric encryption algorithm with a new key. • Since it was not possible to have a different key for each MPDU and to avoid the problem of starting at the same point every time re-synchronization was required, the designers of WEP added an IV that determines a different starting point in the RC4 keystream. The number of starting points was 224 and the starting point was sent unencrypted. The secret key remained constant while the IV changed periodically; in this way, the IV extended the useful lifetime of the secret key. The fundamental problem, however, was that there was a finite number of starting positions, and WEP didn’t specify an algorithm to generate the IVs. The result was that in most of the implementations, the IV started at zero and was incremented sequentially for each packet. With only 224 number of possible IV starting positions and the IV selected at random, there was a 50% probability of using a previous IV after fewer than 4,792 MPDUs using birthday attack probability. 19 Wireless Security IEEE 802.11i • • Several reports were written revealing 802.11’s security weaknesses. • The IEEE 802.11i amendment added stronger encryption, authentication, and key management strategies for wireless data and system security. • The amendment proposed two new data-confidentiality upgrades: In June 2004, the IEEE Standards Association approved the IEEE 802.11i a security enhancement amendment to the original IEEE 802.11 specification. — An interim software upgrade solution that didn’t need hardware upgrades – The Temporal Key Integrity Protocol (TKIP) — A final solution with different hardware and, therefore, not compatible with the previous version of WEP. – CTR [counter mode] with CBC-MAC [cipherblock chaining (CBC) with a message authentication code (MAC)] Protocol (CCMP), and IEEE 802.1X's to control access to the network. • The 802.11i amendment also provided improvement for the following security issues: — Key management — Data origin authenticity — Replay detection Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 20 • In June 2004, the IEEE Standards Association approved a security enhancement amendment to the original IEEE 802.11 specification. It was the IEEE 802.11i, "Wireless LAN Medium Access Control and Physical Layer Specifications: Medium Access Control Security Enhancement.“ • The IEEE 802.11i amendment added stronger encryption, authentication, and key management strategies for wireless data and system security. The amendment proposed two new dataconfidentiality upgrades: (1) a software upgrade, Temporal Key Integrity Protocol (TKIP); (2) a hardware upgrade, called CTR [counter mode] with CBC-MAC [cipherblock chaining (CBC) with a message authentication code (MAC)] Protocol (CCMP). In addition, IEEE 802.11i also uses IEEE 802.1X's to control access to the network. • According to the standard, in addition to improving confidentiality, the 802.11i amendment also provides improvement for the following security issues: • Key management – The enhanced confidentiality, data authentication, and replay protection mechanisms require fresh cryptographic keys. 802.11i provides fresh keys by means of protocols called the 4-Way Handshake and Group Key Handshake. • Data origin authenticity – The data origin authenticity mechanism defines a means by which a station that receives a data frame can determine which station transmitted the MPDU. This feature is required to prevent one station from masquerading as another station. This mechanism is provided by using CCMP or TKIP. • Replay detection – The replay detection mechanism defines a means by which a station that receives a data frame from another station can detect whether the data frame is an unauthorized retransmission. This mechanism is provided by using CCMP or TKIP. 20 Wireless Security 802.11 Security Framework RADIUS Servers Cisco ACS, Microsoft IAS, FreeRADIUS, Juniper SBR Authentication User Credentials Certificates Either Username/ Password Either EAP Implementations EAP-TLS PEAP EAP-MD5 EAP-TTLS WI-FI Alliance Modes: WI- Enterprise PSK Personal 802.1X Integrity Algorithm 802.1X 802.1X WPA2 released: 09/2004 802.11i ratified: 06/2004 WPA released: 04/2003 802.11 ratified: 06/1997 CCMP Port Control Encryption & Integrity EAP Plus others such as EAP-SIM, EAP-FAST and LEAP WPA2 cipher suite is indicated in the Robust Security Network (RSN) Information Element. MIC Encryption Algorithm WEP TKIP Encryption Cipher RC4 RC4 AES 802.11 802.11i (RSN) 802.11i (RSN) WPA/WPA2 WPA2 IEEE WI-FI Alliance WIWireless WIMAX Wi-Fi Also, supported by WPA but not certified in, as CCMP(AES). Hence some vendors implement WPA with AES. Bluetooth M. Mogollon – 01/08 - 21 • WPA and WP2 are the WI-FI Alliance functionality certification versions of IEEE 802.11i. WPA and WPA2 use 802.1X and EAP for authentication. WPA and WPA2 continue the use of RC4 cipher with TKIP, but WPA2 also uses a stronger encryption mechanism with AES, using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Built into the CCMP algorithm is an integrity check. • Both WPA and WPA2 have personal and enterprise certified modes of operation that meet the needs for two different market segments. In the personal mode of operation, a pre-shared key (password) is used for authentication, while in the enterprise mode of operation, authentication is achieved via 802.1X and EAP. The personal mode requires only an access point and the client device, while the enterprise mode typically requires a RADIUS or other authentication server on the network. • The personal mode is designed for users who do not have authentication servers, such as RADIUS. For authentication, personal modes use a pre-shared key that is manually entered at the access point and at all user stations; consequently, a personal mode does not scale well in an enterprise network. The pre-shared key is used to generate the encryption key; therefore, the PSK should be of sufficient strength by including a mix of letters, numbers, and non-alphanumeric characters. The personal mode uses the same encryption methods as enterprise mode. It supports per-user, persession, and per-packet encryption via TKIP with WPA or AES with WPA2. • WPA and WPA2-enterprise use IEEE 802.1X authentication with EAP methods to provide mutual authentication and to ensure that only authorized users are granted access to the network and only to authorized areas within the network. 21 Wireless Security TKIP Encapsulation TA TK Phase 1 Key Mixing TTAK Phase 2 Key Mixing TSC DA + SA + Priority + Plaintext MSDU Data RC4 Key RC4 (128 bits) Ciphertext MPDU Fragment(s) (if necessary) Michael MIC Key WEP Seed IV Plaintext MSDU + MIC TA = Transmitter Address TK = Temporary Key TSC = TKIP Sequence Counter MIC = Message Integrity Code DA = Destination Address SA = Source Address Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 22 • As mentioned before, TKIP was designed in a way that the algorithm could be implemented within the hardware capabilities of most devices supporting only WEP. In this way, such devices could be field-upgradeable by the manufacturers. • TKIP uses the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication. The key selected by the user goes through two mixing functions, Phases 1 and 2. Phase 1 mixes the appropriate temporary key, TK, (pairwise or group) with the transmitter address, TA, with TKIP, and with sequence counter, TSC. Phase 2 mixes the output of Phase 1 with the TSC and TK to produce the WEP seed, also called the per-frame key. Both Phase 1 and Phase 2 rely on an S-box, the only difference being that the second S-box table is an octetswapped replica of the first. The S-boxes substitute one 16-bit value with another 16-bit value. • To defend against active attacks, TKIP used a MIC called Michael. In the traditional way, the MIC was simply an authentication code, but the acronym MAC was already used in the 802.11 standard for another meaning. Similar to a MAC (see Session 5, “Message Authentication Code”) the MIC was a key-dependent one-way hash function. The integrity provided by the MIC was based on the fact that it was not possible to generate a MIC without knowing the MIC key. An adversary without knowledge of the key would not be able to modify data and then generate an authentic MIC on the modified data. If the MIC key were known only by the source and the destination, this algorithm would provide both data origin authentication and data integrity for MPDUs sent between the two parties. In addition, only a station or access point with the identical MIC key could verify the hash. • Another improvement of TKIP over WEP was that the IV bit length was increased from 24 to 48 bits, so the 50% probability of a previous IV being used increased from fewer than 4,792 MPDUs to 19,629,343 MPDUs (calculated using the birthday attack). 22 Wireless Security CBC – MAC Authentication Formatting Encoding Function Input Data (N, A, P) Output Data (B0, B1, B2, ……, Br) B0 B1 Br + + + Input Block 1 Input Block 2 Input Block r CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block r Yr = CIPHK(Yr -1 XOR Br) T = MSBTlen(Yr) The number of blocks in the formatted input data (N, A, P). The CBC-MAC result The bit string consisting of the s left-most bits of the bit string X. The MAC that is generated as an internal variable in the CCM processes. The bit length of the MAC. Y0 = CIPHK(B0) r Yr MSBs(X) T Tlen = = = = = Wireless Y1 = CIPHK(Y0 XOR B1) WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 23 • The following are the prerequisites for the authentication and encryption process of CCM: block cipher algorithm, key K, counter generation function, formatting function, and MAC length Tlen. The following are the inputs: valid nonce N, valid payload P of length Plen bits, and a valid associated data A. • Steps: Apply the formatting function to (N, A, P) to produce the blocks B0, B1, …, Br. • Set Y0 = CIPH K ( B0 ) • For i = 1 to r, do • Set Yi = CIPH K ( Bi ⊕ Yi − 1 ) T = MSBNTTlen (Yr ) Where •r = The number of blocks in the formatted input data (N, A, P). • Yr = The CBC-MAC result • MSBs(X) = The bit string consisting of the s left-most bits of the bit string X. •T = The MAC that is generated as an internal variable in the CCM processes. • Tlen = The bit length of the MAC. 23 Wireless Security Counter (CTR) Mode Encryption Flag, N, Counter 2 Flag, N, Counter 1 Encrypt Ctr0 Flag, N, Counter m Ctr1 Input Block 1 Ctrm Input Block 2 Input Block m CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block m S1 = CIPHK(Ctr1). Sm = CIPHK(Ctrm). S0 = CIPHK(Ctr0). S = S1 || S2 || …….|| Sm C = ( P ⊕ MSBPlen ( S )) Confidentiality m Plen MSBs(X) T Tlen = = = = = || T ⊕ MSBTlen ( S0 )) Authentication The number of blocks in the formatted payload, equal to Plen/128. The bit length of the payload. The bit string consisting of the s left-most bits of the bit string X. The MAC that is generated as an internal variable in the CCM processes. The bit length of the MAC. Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 24 • Apply the counter generation function to generate the counter blocks Ctr0, Ctr1, …, Ctrm, where m = ⎡Plen / 128⎤ • For j = 0 to m, do • Set S = S1 || S2 || …|| Sm. • Return S j = CIPH k (Ctr j ) C = ( P ⊕ MSBPlen ( S )) T ⊕ MSBTlen ( S0 )) • The first portion of C is the ciphertext of the payload and the second part is the authentication. • If the block cipher behaves as a pseudo-random permutation, by encrypting T, CBC-MAC collision attacks are avoided because the attacker doesn’t get information about the CBC-MAC results. • CCM was designed for use in a packet network, and the authentication process requires the message length to be known at the beginning of the operation. This is not a problem because in almost all environments, message or packet lengths are known in advance. It is possible to compute the message authentication code and perform encryption in a single pass because authentication doesn’t have to be completed before encryption can begin. The encryption key stream can be pre-computed, but authentication cannot. 24 Wireless Security IEEE 802.1X EAP Authentication Supplicant (Station) Authenticator (Access Point) Authentication Server (Radius) Port Lock 802.1X EAP Start 802.1X EAP Request 802.1X EAP Response Access Request (EAP Request) EAP Authentication Access Protocol (Exchange PMK) Accept / EAP Success / Key Material (PMK) 802.1X EAP Success Port Unlock Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 25 • The IEEE 802.1X authentication procedure is as follows: • The Supplicant connects to the Authenticator; the Authenticator’s port is always in the unauthorized state, so it only accepts 802.1X, EAPOL, traffic and discards any other type of traffic such as HTTP, FTP, Dynamic Host Configuration Protocol, and Simple Mail Transfer Protocol. • The Supplicant sends an EAPOL Start message. • The Authenticator replies with an EAP-Request Identity message to obtain the client's identity. • The Supplicant sends the EAP Response Identity. The Authenticator passes the client identity to the Authentication Server (RADIUS) encapsulated in RADIUS protocol. • The Authentication Server sends back a supplicant access challenge. • The Authenticator unpacks the client access challenge using RADIUS protocol, re-packs it using EAP protocol, and forwards the access challenge to the Supplicant. • The Supplicant responds to the challenge and sends it to the Authenticator, which passes the response to the Authentication Server. • The result is an accept or reject packet from the Authentication Server to the Authenticator. • The Authenticator enables the port to the services offered and allows the supplicant’s traffic to be forwarded. • At logoff, the Supplicant sends an EAP-logoff message that forces the Authenticator to transition the port to the services offered to an unable state. 25 Wireless Security 4-Way Handshake Supplicant (Peer, Client) Authenticator (Access Point) PMK is knowngenerate SNonce PMK is knowngenerate ANonce Message 1 EAPOL – Key (ANonce, Unicast) Derive PTK Message 2 EAPOL – Key (SNonce, Unicast, MIC) Derive PTK. If needed, generate GTK. Message 3 EAPOL – Key (Install PTK, Unicast, MIC, Encrypted GTK) Message 4 EAPOL – Key (Unicast, MIC) Install PTK and GTK Wireless Install PTK WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 26 • IEEE 802.11.i (2004) defines two key hierarchies: (1) Pairwise key hierarchy, to protect unicast traffic and (2) Group key hierarchy, consisting of a single key to protect multicast and broadcast traffic. The pairwise key can be used in TKIP or CCMP, so in a mixed environment, an AP may simultaneously communicate with some stations using TKIP or CCMP. • The client and access server (Radius) perform authentication using the EAP, via 802.1X, to agree on a 256-bit secret key called the Pairwise Master Key. • The 4-way Handshake Protocol consists of the following steps: • The authenticator sends Message 1 to the supplicant at the end of a successful IEEE 802.1X PMK exchange, or when a station requests a new key. The message includes an ANonce, as well as a key description version (RC4 encryption with HMAC-MD5 or AES key wrap with HMAC-SHA1-128) and key data, the PMKID for the PMK being used during this exchange. • On reception of Message 1, the supplicant generates a new nonce, SNonce, and derives the PTK from ANonce and SNonce. • The supplicant prepares and sends Message 2. Message 2 includes the SNonce, the same key description selected by the authenticator, and key data information with the authentication and cipher suite enabled by the supplicant’s policy. In other words, the message contains the authentication and cipher suite that the station is proposing or supports. The message also includes the message integrity code. • Upon reception of Message 2, the authenticator derives the PTK, verifies message 2’s integrity (MIC), and then, if needed, derives GTK. Finally, it prepares and sends Message 3. • The authenticator sends Message 3, which includes the ANonce. In the key data field, the authentication and cipher suite selected by the authenticator are included, as well as the MIC, and an indication of whether or not to install the temporal keys, and the encapsulated GTK. • When Message 3 is received, the supplicant (1) Verifies that the ANonce value in Message 3 is the same as the ANonce value in Message 1; (2) Checks that the authentication and cipher suite sent by the access point are the same as the one sent in Message 2; (3) Verifies the MIC; (4) Confirms that temporal keys are installed; and (5) Prepares and sends Message 4. • Upon reception of Message 4, the authenticator verifies the MIC. 26 Wireless Security Pairwise and Group Key Hierarchy Pairwise Master Key (PMK) PRF- X(PMK, Pairwise key expansion, AA, SPA, ANonce, SNonce) Pairwise Transient Key (PTK) TKIP 512 bits CCM 384 bits EAPOL-Key Key Confirmation Key (KCK) L(PTK 0-127) EAPOL-Key Key Encryption Key (KEK) L(PTK 128-255) Temporal Key TKIP L(PTK 256-511) CCMP L(PTK 256-383 AA = Authenticator Address SPA = Supplicant Address ANonce = Authenticator’s Nonce SNonce = Supplicant’s Nonce GNonce = Group’s Nonce Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 27 • The Pairwise Master Key is used to generate a Pairwise Transient Key (PTK) and the PTK is partitioned to create three types of keys. • The pairwise key hierarchy utilizes a pseudorandom function to expand the PMK to a 384-bit or a 512-bit PTK using a pseudorandom function. TKIP uses 512-bits and CCMP uses 384-bits. The PTK is partitioned into several keys: • The key confirmation key (KCK) is used by IEEE 802.1X to provide data origin authenticity in the 4-way handshake and group key handshake messages; it consists of the first 128 bits (bits 0–127) of the PTK. • The key encryption key (KEK) is used by the EAPOL-Key frames to provide confidentiality in the 4-Way Handshake and Group Key Handshake messages; it consists of bits 128–255 of the PTK. • Temporal Keys are used by the station and consist of bits 256–383 (for CCMP) or bits 256– 511 (for TKIP). • All these keys are used to protect unicast communications between the authenticator’s and supplicant’s respective stations. PTKs are used between a single supplicant and a single authenticator. 27 Wireless Security Pairwise and Group Key Hierarchy Group Master Key (GMK) PRF- X(GMK, “Group key expansion”, AA || GNonce) Group Temporal Key (GTK) (X bits) Temporal Key TKIP L(PTK 0-255) CCMP L(PTK 0-127 AA = Authenticator Address SPA = Supplicant Address ANonce = Authenticator’s Nonce SNonce = Supplicant’s Nonce GNonce = Group’s Nonce Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 28 • The group key hierarchy utilizes a pseudorandom function to expand the GMK to a 128-bit or a 256-bit group temporary key (GTK). TKIP uses 256-bits and CCMP uses 128-bits. The GTK is partitioned into temporal keys to protect broadcast/multicast communication. The temporal key could have a length of 40, 104, 128, or 256 bits. GTKs are used between a single authenticator and all supplicants authenticated by that authenticator. 28 Wireless Security Securing WLAN • Use Wireless Security Switches • Use Strong Encryption • Turn Off SSID Broadcasting • Change the Default Administrative Password and SSID • Turn Off the System • Use MAC Filtering • Control the Wireless Signal Output • Use VPN • Use WLAN Audits Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 29 • Use Wireless Security Switches • Intelligent wireless access points manage security and authentication locally, and each one needs to be managed keeping in mind the potential of having security holes. It is not that complicated for small or medium business IT managers to set up three to ten access points. However, when companies install, for example 50 access points, IT managers need centralized APManagement tools. • Use Strong Encryption • Purchase WLAN equipment that supports the IEEE802.1i Enterprise mode that uses AES encryption. Equipment that supports this mode is labeled WPA2. • Turn Off SSID Broadcasting • The Service Set Identifier is a 32-character unique identifier attached to the header of packets that identify one WLAN from another. A station will not be permitted to connect to the access point unless it can provide the unique SSID. The problem is that, by default, most WAPs broadcast the SSID, making it easy for users to find the network, as it shows up on their wireless client computers. If SSID is not broadcasted, users will have to find out the SSID to be able to connect, the SSID then becomes a type of password. Because an SSID can be sniffed in plaintext from a packet, it does not supply any security to the network. Turning off SSID broadcasting will not deter a serious hacker, but it will deter casual users who try to piggyback to a network. • Change the default Administrative Password and SSID • Manufacturers use the same SSID name for all wireless equipment. Therefore, the first things that should be changed are the administrative password and the SSID name. Select a password and name that are difficult to guess. • Turn Off the system • Several security advisors emphasize that to improve security, just turn off the computer when it is not use. The same applies to a wireless network. If possible, turn off the access point or wireless switch when not in use, e.g., at night or during the weekend when there is no need for anyone to connect to the network. • Use MAC Filtering • In some access points, it is possible to use media access control (MAC) address filtering. Therefore, it is possible to set up a list of computer MAC addresses that can have access to the access point. It is possible for a hacker to spoof a MAC address, but there is an access control against the piggybacker. • Control the Wireless Signal Output • Manufacturers sell special high-gain antennas to extend the range of an access point. A typical 802.11b/g WAP has a range of 300 feet and now, 802.11n MIMO technology, may double or triple that range. However, extending the range of an access point exposes the wireless networks to hackers. If possible, use a directional antenna instead of an omnidirectional, and adjust the signal strength to reduce the range. • Use VPN • Use a VPN to provide end-to-end security instead of securing only the air portion of the wireless connection. Connecting to the corporate network using VPN ensures that the session between the PC and the server is encrypted. • Use WLAN Audits • Unauthorized rogue access points can present a significant security threat if they do not comply with enterprise security policies. Use NetStumbler to find out if there are rogue access points connected to the network. 29 Wireless Security Bluetooth • Conceived as a low-cost, low-profile, low-power, short-range radio technology, open standard. • Designed to create small wireless networks for interconnecting devices such as wireless headsets, printers, keyboards, and mice. • Used to enhance wireless connectivity by connecting almost any device to any other device. • Works as an ad-hoc network, typically created on a temporary and random basis. • Consists of up to eight Bluetooth devices in a network, called a piconet, working in a master-slave relationship, with one device designated as master and the rest as slaves. • Employs a dynamic topology in which the master controls and reconfigures the changing network topologies. • Creates a chain of piconets, referred to as a scatter-net, in which a slave from one piconet acts as the master of another piconet. Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 30 • Bluetooth™ is an open standard conceived as a low-cost, low-profile, low-power, short-range radio technology. It was designed to create small wireless networks to replace cables for interconnecting devices such as wireless headsets, printers, and keyboards. Bluetooth can be used to enhance wireless connectivity by connecting almost any device to any other device; it could ultimately eliminate wires and cables between both stationary and mobile devices and between personal devices. • Bluetooth networks are ad hoc networks. According to the Bluetooth Specification, an ad hoc network is a network typically created in a spontaneous manner. An ad hoc network requires no formal infrastructure and is limited in temporal and spatial extent. Devices in an ad hoc networks move in an unpredictable fashion; they are configured on the fly and maintain random dynamic network topology. They also control the network configuration, maintain and share resources, and rely on a master-slave system. When combined with other technologies, ad hoc networks can have access to a network or to the Internet. An example would be a computer using a mobile phone to access the Internet. • Bluetooth ad hoc networks are established on a temporary and random basis. A Bluetooth network, called a piconet, consists of up to eight Bluetooth devices; It sets up a master-slave relationship with one device designated as master and the rest as slaves. Although only one device may perform as the master for each network, a slave in one network can act as the master for other networks, thus creating a chain of piconets referred to as a scatter-net. • In a Bluetooth network, the master of the piconet controls the changing network topologies. It also controls the flow of data between devices that are capable of supporting direct links to each other. As devices move about in an unpredictable fashion, these networks must be reconfigured on the fly to handle the dynamic topology. The routing protocol that Bluetooth employs allows the master to establish and maintain these shifting networks. 30 Wireless Security Bluetooth Frequency and Power Operation • Bluetooth operates in the 2.4 GHz industrial, scientific, and medical (ISM) non-license spectrum. • The system uses frequency-hopping, spread spectrum (FHSS) transmission. • Devices in a piconet use a specific hopping pattern of 79 frequencies in the ISM band that changes frequency about 1,600 times per second. • The master device controls and sets up the network’s pseudo-random, frequency-hopping sequence, and the slaves synchronize to the master. Power Class Max Output Power Min Output Power 1 100 mW 1 mW Up to 300 feet 2 2.5 mW 1 mW Up to 30 feet 3 1 mW N/A Wireless WIMAX Wi-Fi Range Less than 30 feet Bluetooth M. Mogollon – 01/08 - 31 31 Wireless Security Bluetooth Security • Provides confidentiality and authentication for peer-to-peer communications over short distances. • Four variables are used for security: — Bluetooth device address — Two secret keys — A pseudo-random number that is regenerated for each new transaction. Variable Bit Length Bluetooth device address 48 bits Private user key (Link Key), authentication 128 bits Private user key, encryption configurable length (byte-wise) 8 – 128 bits Random number 128 bits Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 32 • Bluetooth provides confidentiality and authentication for peer-to-peer communications over short distances. There are four variables used for security: a Bluetooth device address, two secret keys, and a pseudorandom number that is regenerated for each new transaction. The four variables and their bit lengths are shown above. • For authentication, the private user key, also referred to as the link key, is derived during initialization, and the private user key for encryption is derived during the authentication process. The random numbers are generated from a pseudorandom number generator and are nonrepeating. Even though the authentication key is used to generate the encrypting key, each is different. Every time encryption is activated, a new encrypting key is generated. The size of the encrypting key is configurable, 8 – 128 bits, to conform to export regulations and the policies of various countries about privacy. The authentication key is more static, so the particular application running in the device decides when to change the key. 32 Wireless Security Bluetooth Key Generation Bluetooth Device 1 Bluetooth Device 2 BD_ADDR, PIN, PIN length, IN_RAND BD_ADDR, PIN, PIN length, IN_RAND Key Generator Function E2 Key Generator Function E2 BD_ADDR, RAND Kinit Kinit Key Generator Function E2 KA + CA K B = C B ⊕ K init EN_RAND, COF, Link Key (KAB) Key Generator Function E3 Wireless K AB = K A ⊕ K B + CB KB K AB = K A ⊕ K B KC KC = Encryption Key WIMAX Key Generator Function E2 K A = C A ⊕ K init KAB = Link Key KC BD_ADDR, RAND Wi-Fi EN_RAND, COF, Link Key (KAB) Key Generator Function E3 Bluetooth M. Mogollon – 01/08 - 33 • The first generated key is the link key, which must be generated and distributed among the devices during the initialization phase. The initialization, as well as the secret link-key generation, are carried out for each of the two devices that are using authentication and encryption. Several steps are carried out to generate the link key. Those are explained below. • Both Bluetooth devices create a 128-bit initialization key, Kinit, to be used for key exchange during the generation of a link key. Kinit is generated using Key Generator E2, Mode 2, and by using as inputs BD_ADDR (Bluetooth device address), a PIN code, the length of the PIN code, and an initialization random number (IN_RAND). The BD_ADDR is the address of the device that receives IN_RAND. • Each Bluetooth device creates a 128-bit unit key, KA and KB, using Key Generator E2, Mode 2. for each, its own BD_ADDR (Bluetooth Device Address), and a random number (RAND) are used as inputs. • Each device enciphers its unit key as follows: C A = K A ⊕ K init and C B = K B ⊕ K init • Then, the devices exchange the enciphered, CA and CB, keys. After receiving the cipher key, both units decipher the other device’s unit key as follows: K B = C B ⊕ K init and K = C ⊕ K A A init • The link key is K AB = K A ⊕ K B . If the devices have memory restrictions, then KAB = KA. • Each device creates the ciphering Kc using a Key Generator E3 and by using as inputs an encryption random number (EN_RAND), the ciphering offset (COF), and the link key, KAB calculated above. • COF is determined in two ways. If the current link is a master key, it is derived from the master address (COF = BD_ADDR || BD_ADDR). Otherwise, COF is equal to the Authenticated Ciphering Offset (ACO), which is calculated during the authentication process. The master generates and distributes EN_RAND to all slaves. 33 Wireless Security Bluetooth Authentication Bluetooth Device 1 (Claimant) Bluetooth Device 2 (Verifier) Random Number Generator (RNG) BD_ADDR Address AU_RAND E1 Encryption Algorithm Link Key (Kab) 96 bits E1 Encryption Algorithm 32 bits 32 bits 96 bits SRES ACO ACO Link Key AU_RAND BD_ADDR Wireless = = = = SRES No Same? Authentication Ciphering Offset Yes Link Key (128 bits) Authentication Random Number (128 bits) Bluetooth Device 1 (Claimant) Address (48 bits) WIMAX Link Key (Kab) Wi-Fi ACO Abort Connection Allow Connection Bluetooth M. Mogollon – 01/08 - 34 • The two Bluetooth devices in the authentication process are referred to as the “verifier” and the “claimant.” The claimant is the device trying to prove its identity by knowledge of a secret key, the link key, and the verifier is the device that challenges the claimant to authenticate a random input in a challenge-response scheme. The verifier is not required to be the master. • The authentication function E1 uses the encryption function SAFER+ (Massey et al, 1998). The algorithm is an enhanced version of an existing 64-bit block cipher SAFER-SK 128. • The following describes the Bluetooth authentication process: 1. The claimant transmits its 48-bit address (BD_ADDR) to the verifier. 2. The verifier transmits a 128-bit random challenge (AU_RAND) to the claimant. 3. The claimant uses the E1 encryption algorithm to encipher BD_ADDR and AU_RAND, using the link key, Kab, as the key. The verifier carries out the same encryption operation. 4. The claimant returns part of the encryption result, SRES, to the verifier. 5. The verifier compares the SRES from the claimant with its own generated SRES. 6. If both SRESs are the same, then the verifier allows the connection. • The ACO is used as a ciphering offset (COF) to generate the encrypting key Kc. See previous section, “Key Generation.” 34 Wireless Security Bluetooth Encryption Bluetooth Device A (Master) COF Link Key Random Number Generator (RNG) BD_ADDRA 111001 KC (128 bits) K’C (128 bits) Plaintext (Packet) ClockA E0 Encryption Algorithm = = = = = ClockA 111001 E0 Encryption Algorithm Ciphertext (Packet) + ClockA EN_RAND BD_ADDR K’C Constant Wireless COF EN_RANDA Key Generator Function (E3) Key Reduction Expansion Function Bluetooth Device B (Slave) Key Generator Function (E3) Link Key KC (128 bits) K’C (128 bits) Key Reduction Expansion Function Plaintext (Packet) + Master Real-Time Clock (26 bits) Encryption Random Number (128 bits) Bluetooth Device A (Master) Address (48 bits) Encryption Key (128 bits) 111000 (6 bits) WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 35 • In Bluetooth, user information can be protected by enciphering the packets’ payload exchanged between the two devices, using an encryption algorithm called E0. The access code and the packet header are not encrypted. • There are three possible modes of confidentiality: • No encryption is performed on broadcast or point-to-point traffic. • Point-to-Point only encryption. • Point-to-point and broadcast encryption. All messages are encrypted. • The effective length of the encryption key may vary between 8 and 128 bits. Note that the actual key length, KC, as obtained from E3, is 128 bits. Then, the key length may be reduced to the required length; after reduction, the result is expanded again to 128 bits in order to distribute the starting states more uniformly. The resulting encryption key is called K’C. • The initial inputs to the encryption algorithm E0 are the following: the encryption key, K’c; a 48-bit address (BD_ADDR); the 26 bits of the master real time clock, CLK26-1; and a constant 111001 for a total of 208 bits. Since the CLK26-1 changes with each packet, and even though the other variables remain the same, the encryption algorithms are reinitialized with each packet. A single bit change in any of the inputs produces an independent key stream, thus achieving orthogonality. 35 Wireless Security Bluetooth Encryption Engine Summation Combiner Logic Initial Value LFSR1 x1t LFSR2 x2t LFSR3 x3t LFSR4 x4t XOR Encryption Stream Zt (1 bit) c0t Blend Z-1 1bit 2 bit T1 Ct Z-1 x1t x2t x3t x4t + T2 3 bits + 3 bits /2 Ct + 1 2 bits 2 bits St + 1 XOR 2 bits 2 bits 2 bits Yt Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 36 • The E0 Bluetooth crypto engine consists of four linear feedback shift registers of lengths L1 = 25, L2 = 31, L3 = 33, and L4 = 39, with feedback taps on L1 = 25, 20, 12, 8 and 0; L2 = 31, 24, 16, 12 and 0; L3 = 33, 28, 24, 4, and 0; and L4 = 39, 36, 28, 4, and 0. The output of the LFSRs is taken from the positions 24, 24, 32, and 32 for L1, L2, L3, and L4. The crypto engine uses the XOR function to mix the output of the LFSRs, integer additions, and table mappings to blend the carry bit. • The output of the encryption stream is obtained from the following equations: z t = x 1t ⊕ x 2 t ⊕ x 3 t ⊕ x 4 t ⊕ c 0 t ⊕ ⎢ y + ct ⎥ St + 1 = ( S 1t + 1 , S 0 t + 1 ) = ⎢ t ⎣2⎥ ⎦ 1 0 ct + 1 = ( c t + 1 , c t + 1 ) = St + 1 ⊕ T1 [ct ] ⊕ T2 [ct + 1 ] Table 14-5 LFSRs Information L Number of Registers Maximum Length Prime Factorization Numbers Feedback Taps Output from Stage 1 25 3.35 x 107 31 • 601 • 1,801 0, 8, 12, 20, 25 24 2,147,483,647 0, 12, 16, 24, 31 24 9 2 31 2.4 x 10 3 33 8.58 x 109 7 • 23 • 89 • 599,479 0, 4, 24, 28, 33 32 4 39 5.49 x 1011 7 • 8,191 • 79 • 121,369 0, 4, 28, 36, 39 32 36 Wireless Security Bluetooth Encryption Engine Initialization + + ADR[2] CL[1] K’C[12] K’C[8] K’C[4] K’C[0] CL24 + 12 8 25 24 + ADR[3] ADR[0] K’C[13] K’C[9] K’C[5] K’C[1] CL[0]L 001 + 12 24 25 - 31 X3t + 4 + 24 28 33 + 31 + 4 28 CL[0]u = CL7 CL6 CL5 CL4 (4 bits) WIMAX X4t + 36 33 - 39 + CL[0]L = CL3 CL2 CL1 CL0 (4 bits) Wireless 16 24 + ADR[5] ADR[1] K’C[15] K’C[11] K’C[7] K’C[3] CL[0]u 111 X2t + + + ADR[4] CL[2] K’C[14] K’C[10] K’C[6] K’C[2] CL25 20 + 31 X1t ADR[n], CL[n], K’c[n] have 8 bits CLn has 1 bit Wi-Fi Bluetooth M. Mogollon – 01/08 - 37 • The crypto engine’s initialization process is as follows: • Open all feedback switches on the shift register, so there is no feedback when loading the inputs; set the content of all shift registers elements to zero. • Arrange input bits from K’c, the device address, the clock, and a 6-bit constant 111001 according to a specific pattern. The pattern, as shown above, uses the notation X[n] where n is the octet number of the input X and the clock signal CLK1, corresponding to CL0. Therefore, 49 bits are loaded in L1, 55 bits in L2, 49 bits in L3, and 55 bits in L4. Since 55 bits are loaded in L3 and L4, there are a total of 55 clocks in the initialization. • Reset both blend registers c39 = c39 – 1 = 0 when the switch of LSFR4 is closed at t = 39. 37 Wireless Security Bluetooth Encryption Engine Run-up + + + Z[0] + 12 8 Z[4] 20 Z[12]0 Z[8] 24 + + 12 + Z[1] Z[5] X2t + 16 Z[9] 24 Z[12]7- 1 24 + 4 + X3t + Z[2] + 24 Z[6] Z[10] 28 Z[15]0 Z[13] 31 + + 4 + Z[3] Z[7] Z[11] 28 Z[14] 31 Wireless WIMAX Wi-Fi X4t + 36 Z[15] 7 - 1 X1t Bluetooth M. Mogollon – 01/08 - 38 • After the key generator initialization process ends, run-up the crypto engine to mix the initialization process as follows: • Keep blend register and use carry bit CT. • Clock the LFSRs 200 more times with all switches closed (t = 239). • Collect the 200 stream cipher bits that were created. • Load the last 128 of the 200 generated bits into the LFSRs according to Figure 14-20 at t= 240. • From this point on, when clocked, the crypto engine produces a keystream sequence that is bitwise XORed with the transmitted payload data for encryption to create the cipher text. At the receiving end, the same sequence is XORed with the ciphertext to decipher the payload. • The first bit to use is the one produced at t = 240. The crypto engine runs for the entire length of the current payload. Then, before the reverse direction is started, the payload from the slave, the entire initialization process is repeated with updated values on the input parameters. 38 Wireless Security Bluetooth Profiles • A Bluetooth device must be able to interpret certain Bluetooth profiles. • Bluetooth profiles are general behaviors through which Bluetooth enabled devices communicate with other devices. • For example, the Headset Profile (HSP) describes how a Bluetooth enabled headset should communicate with a computer or other Bluetooth enabled device such as a mobile phone. • http://bluetooth.com/Bluetooth/Technology/Works/Profil es_Overview.htm Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 39 39 Wireless Security To Probe Further • Bluetooth Special Interest Group (SIG) – 2004, “Specification of the Bluetooth System V2.” Retrieved on December 19, 2005, from https://www.bluetooth.org/spec/ • Dworkin, M (December 2001). Recommendation for Block Cipher Modes of Operation Methods and Techniques. NIST Special Publication 800-38A. Natl. Inst. Stand. Technol. Retrieved December 19, 2005, from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf • Dworkin, M (May 2005). Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800-38B. Natl. Inst. Stand. Technol. Retrieved December 21, 2005, from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf • Dworkin, M (May 2004). Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. NIST Special Publication 800-38C. Natl. Inst. Stand. Technol. Retrieved December 21, 2005, from http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf • Fluher, S., Mantin, I., and Shamir, A. (2001). Weaknesses in the Key Scheduling Algorithm of RC4. 8th Annual Workshop Selected areas in Cryptography. August 2001. • • IEEE Std 802.16e – 2005, “Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems.” • IEEE Std 802.11i – 2004, “Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements.” • Karygiannis, T, Owens L. (2002). Wireless Network Security, 802.11. Bluetooth and Handheld Devices. NIST Special Publication. Downloaded on November 15, 2004, from http://csrc.nist.gov/publications/nistpubs/80048/NIST_SP_800-48.pdf • Shinder, D. (2005). 10 Ways to Wireless Security. Tech Republic. Retrieved October 10, 2005, from http://insight.zdnet.co.uk • Wi-Fi Security – Addressing Concerns. Hewlett Packer. Downloaded on October 10, 2003 from http://h50012.www5.hp.com/createuse/learning/ITguide_planning.asp IEEE Std 802.15.1 – 2005, “Part 15.1: Wireless medium access control (MAC) and physical layer (PHY) specifications for wireless personal area networks (WPANs).” Wireless WIMAX Wi-Fi Bluetooth M. Mogollon – 01/08 - 40 40 ...
View Full Document

Ask a homework question - tutors are online