CSC 607 Meeting 7 Charts

CSC 607 Meeting 7 Charts - Security in Computing – CSC...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Security in Computing – CSC 607 Security Wireless Security – WCM 605 Wireless Meeting 7 Saturday, 23 Jan 2010 1/23/2010 1/23/2010 1 “Week 4” Schedule Sat 1/23 Voice Oriented Wireless Networks II Data Oriented Wireless Networks Security in Traditional Wireless Networks Security in Wireless LANs ­ I Tue 1/26 Security in Wireless LANs ­ II Breaking WEP Project Presentations Privacy Issues Review for Final Exam Thu 1/28 Legal and Ethical Issues Breaking WEP Project Presentations Final Exam Week 4 Reading – Pfleeger & Pfleeger 4th Edition Chapters 10 and 11 Chandra Chapters 6 & 7 1/23/2010 1/23/2010 2 TWN Evolution to 2nd Generation 1st Generation specified MS/BTS Air Interface • Did not specify communication interface between MTSO and BTS MTSO and BTS had to come from same vendor (proprietary protocols) Made roaming very complex, spotty, and inconsistent • Interim Standard 41 developed to address roaming issues in USA • No equivalent in Europe 1/21/2010 1/21/2010 3 Emergence of 2nd Generation Cellular Five incompatible air interface standards in Europe European economic integration provided impetus for finding a single pan­European standard The result was Global System for Mobile Communication (GSM) standard • Roaming was an important ingredient 1/21/2010 1/21/2010 4 2nd Generation TWNs Three standards • GSM (Europe) 8 time slots in 200 KHz channels, each using FDMA More efficient use of spectrum than AMPS • TDMA (USA) 3 time slots in 30 KHz channels initially , using FDMA Expanded to 6 time slots • CDMA (USA) 1/21/2010 1/21/2010 Most efficient use of spectrum ­ DSSS Up to 64 “channels sharing 1.25 MHz bandwidth IS­95 Standard All air interfaces are digital 5 2nd Generation System Architecture 1st Gen defined only air interface 2nd Gen defines multiple interfaces AUC EIR BTS BTS HLR BSC MS MSC/ VLR BTS BTS MS (in­ cludes SIM) 1/21/2010 1/21/2010 SS7 Network BSS Um SMS­ GMSC BTS=Base Transceiver System BSC=Base Station Controller MSC=Mobile Switching Center VLR=Visitor Location Register HLR=Home Location Register AUC=Authentication Center ISDN CSPDN BSC A Interface PSTN OSS NSS PSPDN Public Network EIR=Equipment ID Register SMS=Short Message Service ISDN=Integrated Services Digital Network GMSC=Gateway Mobile Switching Center CSPDN=Circuit Switched Packet Data Net PSPDN=Packet Switched Packet Data Net 6 2nd Generation Databases Home Location Register • Stores subscriber info (home address, billing info, contract details, etc. + VLR where subscriber is currently located) Visitor Location Register • Has record of all MSs in a particular MSC’s area Call completion process: PSTN to MS • PSTN contacts GMSC associating with the terminating number • GMSC queries HLR for VLR • GMSC routes call to MSC associated with VLR where MS is currently located • Process is complicated by handoff See textbook, pp 101­102 for brief description Authentication Center • Holds authentication and encryption keys for all subscribers Equipment Identity Register • Keeps track of all MS in use 1/21/2010 1/21/2010 Minimizes risk of stolen SIM card 7 GSM Addresses Phone No. and User ID are kept separate • • • • Phone No. = MSISDN No. User ID = International Mobile Subscriber Identity (IMSI) Both are stored on SIM card Association between MSISDN and IMSI is stored in HLR Association is kept secret by HLR International Mobile Station Equipment Identity (IMEI) uniquely IDs equipment • • Stored in EIR Assigned by VLR Temporary Mobile Subscriber Identity (TMSI) Used in place of IMSI to minimize over­the­air transmission of IMSI Stored in SIM card and VLR Not known to HLR Local Mobile Subscriber Identity (LMSI) • • • • • • 1/21/2010 1/21/2010 May be assigned by VLR in addition to TMSI Assigned when MS registers with VLR Known to HLR (provides short searching key to minimize call setup time Assigned to MS by VLR Temporary, location­dependent ISDN (phone number) Purpose: Simplify call routing Mobile Station Roaming Number (MSRN) 8 Bandwidth Gap CN:Core Network RNC: Radio Network Controller Transaction bottleneck BTS: Base Transceiver Station GW CN RNC BTS 9.6Kbps 10Kbps 1Gbps BTS 384Kbps Wireless World now Full integration with the 1/21/2010 1/21/2010 Internet Internet is NOT simple Internet World Original Internet Design Was for FIXED networks 9 Next Generation Vision Internet World Hot spot of Wireless LAN IEEE802.11b The Internet IP Backbone 2G/3G networks (coexist today) High Speed Downlink High Packet Access Packet (HSDPA) up to 12Mbps Hotel 4G Network e.g., Orthogonal Frequency e.g., And Code Division Multiplexing And (OFCDM) up to 100Mbps coming soon (more in WCM 610) 1/21/2010 1/21/2010 Cafe Airport Office Fig 1.8 10 Data Oriented Wireless Networks 1/21/2010 1/21/2010 11 IEEE 802.11 (WiFi) and the OSI Model •“802.11 is 802.3 (Ether­ net) without the wires” ­ but with higher packet loss •Operates in unlicensed spectrum band • Physical Layer Convergence Protocol (PLCP) • Physical Medium Dependent (PMD) 1/21/2010 1/21/2010 IEEE 802 Reference Model Upper Layer Protocols Logical Link Control Medium Access Control Physical Scope of IEEE 802 Standards PMD transmits actual frames onto the medium 12 WLAN Overview IAPP (11f) MAC & Above PHY Data Rate CSMA/CA DSSS FH IR OFDM (11a) CCK (11b) 1 Mbps 2 Mbps 54Mbps (11a) 11Mbps (11b) 1997 1/21/2010 1/21/2010 1999 Source: Next Generation Mobile Systems, M. Etoh, Editor, Wiley, 2005 QoS (TGe) Security (TGi) RRM (TGk) Inter working OFDM (11a) DFS, TPC (11h) 54Mbps (11g) 2003 •Multiple radio technologies at PHY level •MAC level is always the same •“MAC layer is the heart of the 802.11 standard” Mobility MIMO Channel Bundling >100Mbps (11n) 2006 13 IEEE 802.11 Standards Family (WiFi) IEEE 802.11 ­ The original 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and IR standard (1999) IEEE 802.11a ­ 54 Mbit/s, 5 GHz standard (1999, shipping products in 2001) IEEE 802.11b ­ Enhancements to 802.11 to support 5.5 and 11 Mbit/s (1999) IEEE 802.11c ­ Bridge operation procedures; included in the IEEE 802.1D standard (2001) IEEE 802.11d ­ International (country­to­country) roaming extensions (2001) IEEE 802.11e ­ Enhancements: QoS, including packet bursting (2005) IEEE 802.11F ­ Inter­Access Point Protocol (2003) Withdrawn 2005 IEEE 802.11g ­ 54 Mbit/s, 2.4 GHz standard (backwards compatible with b) (2003) IEEE 802.11h ­ Spectrum Managed 802.11a (5 GHz) for European compatibility (2004) IEEE 802.11i ­ Enhanced security (2004) IEEE 802.11j ­ Extensions for Japan (2004) IEEE 802.11k ­ Radio resource measurement enhancements IEEE 802.11l ­ (reserved, typologically unsound) IEEE 802.11m ­ Maintenance of the standard; odds and ends. IEEE 802.11n ­ Higher throughput improvements IEEE 802.11o ­ (reserved, typologically unsound) IEEE 802.11p ­ WAVE ­ Wireless Access for the Vehicular Environment (such as ambulances and passenger cars) IEEE 802.11q ­ (reserved, typologically unsound, can be confused with 802.1Q VLAN trunking) IEEE 802.11r ­ Fast roaming IEEE 802.11s ­ ESS Mesh Networking IEEE 802.11T ­ Wireless Performance Prediction (WPP) ­ test methods and metrics IEEE 802.11u ­ Interworking with non­802 networks (e.g., cellular) IEEE 802.11v ­ Wireless network management 1/21/2010 1/21/2010 14 Typical 802.11 Network ty S) sibili m D te os les p Sys b ion Ena doff ibut tr n (Dis of ha rk etwo N ired W Transmits in unlicensed band ­ 100­300 ft. limit ­ Basic Service Area (BSA) Access Point Station BSS B Basic Service Set A (BSS) Extended Service Set (ESS) 1/21/2010 1/21/2010 AP’s communicate with each other through the DS, forming ESS 15 802.11 Comparison with TWNs TWNs were designed for voice communication • Underlying PSTN architecture Establish a connection 802.11 was designed for data communication • Underlying LAN architecture based on IP 1/21/2010 1/21/2010 Connectionless – no end­to­end connection There is no such thing as connection set up There is ASSOCIATION between AP and STA 16 Why Association in 802.11? TWNs • • • • • Location of MS determined only when needed MSC asks BTS to send page BTS sends MS responds End­to­end circuit established 802.11 works in IP environment • Not feasible to locate wireless equipment on a packet­ by­packet basis • DS always needs to know end­user location DS routes appropriate packets to AP as they arrive Solution: Whenever STA is within the BSA of an AP, it associates 1/21/2010 1/21/2010 17 802.11 Association Process Works as the Link Layer STA probably not always actively transmitting/receiving data during period of association • Cellular connection is always transmitting/receiving STA transmits “Probe” request • Contains Service Set ID on the network (ESS) it wants to connect to 1/21/2010 1/21/2010 If accepted, AP sends “Probe Response” • AP may only accept STA giving correct SSID • AP may accept only certain MAC addresses • AP may use 802.11 authentication 18 STA/AP Authentication STA starts authentication process upon receipt of Probe Response • Mutual authentication at link layer between AP and STA • Goal: establish Link Layer connectivity Two Possible Processes (details in Chapter 7) • Open System Authentication (OSA) • Shared Key Authentication (SKA) Final step is Association • Logical connection between STA and AP STA sends association request • Contains parameters such as STA capabilities and supported data speeds 1/21/2010 1/21/2010 AP send Association Response • Accept Traffic can flow between Distribution System (DS) and STA at link layer • Reject No association 19 Competition in Access to the Medium Wireless communications uses a medium that is inherently shared Media Access Control (MAC) protocols control access to the medium TWNs • Four channels allocated/no contention BTS­MS signaling BTS­MS voice (downlink) MS­BTS signaling • Only place where contention can occur • Only place where MAC protocols are needed/used MS­BTS voice (uplink) WLANs • Every WLAN packet may contend for the medium • MAC protocol are essential 1/21/2010 1/21/2010 20 Basic LAN MAC Protocols 802.3 • Carrier Sensing Multiple Access with Collision Detection (CSMA/ CD) Simple implementation Continuous measurement of voltage on the wire • If voltage exceeds some threshold, a collision has occurred Works well on shieldedcable, where noise can be minimized 802.11 • Carrier Sensing Multiple Access with Collision Avoidance (CSMA/CA) “Listen before send” for a time interval • Time interval specified by Network Allocation Vector (NAV) 1/21/2010 1/21/2010 If busy (carrier sensed) wait for idle If idle, wait a “little while longer” 21 Basics of 802.11 CMSA/CA Request To Send includes NAV time Clear To Send RTS Sender Data Receiver NAV CTS MAC (RTS) MAC (CTS) SIFS ACK SIFS Sender waits a random time, then senses channel for an Inter­Frame spacing time (DIFS) If senses no carrier, sender transmits RTS All nodes hear RTS and NAV • 1/21/2010 1/21/2010 Channel is assumed busy for the NAV period • SIFS Destination responds with CTS including NAV If no collision, RTS reaches destination node Upon receipt of CTS, sender has guaranteed access for CTS NAV time Sender waits for ACK after sending 22 CSMA/CA Basics continued Request To Send includes NAV time Sender Clear To Send RTS Data Receiver NAV CTS MAC (RTS) MAC (CTS) SIFS 1/21/2010 1/21/2010 SIFS SIFS Destination node waits Short Inter Frame Space (SIFS) time before sending ACK If ACK not received, Sender assumes data was lost and will retransmit If sender does not receive CTS, it assumes RTS is lost • ACK Could be collision or lost by physical carrier sensing Sender doubles its random time wait (binary exponential back­off) and contends for channel access again 23 Why the RTS/CTS Process? Solves the Hidden Terminal Problem • • • C does not hear RTS sent by A (out of range) C does hear CTS sent by B C delays its transmission for NAV(CTS) A B X C D Reduces probability of collisions • RTS and CTS are short compared to other packets 1/21/2010 1/21/2010 Typically ~20 bytes Probability of collision of two RTS/CTS is very small 801.11 allows nodes to send without RTS/CTS if data is very short • But, successful RTS/CTS reserves the channel for NAV time 24 Security in Traditional Wireless Networks (TWNs) 1/21/2010 1/21/2010 25 Security in 1st Generation TWNs 1st Generation based on AMPS • • Analog radio interface (FM) Anybody with a police tuner could listen in No legal recourse • Laws against wiretapping applied ONLY to wireline communications • Authentication of mobile handset to the network was based solely on the ESN Sent in the clear Easy to capture, clone, and steal service • This was a driving force for major improvements in 2nd generation TWN security 1/21/2010 1/21/2010 Little or no security in AMPS 26 Security in 2nd Generation TWNs Move to digital base opened many possibilities • Much more sophisticated (and costly) equipment needed for eavesdropping due to: 1/21/2010 1/21/2010 Sophisticated speech coding algorithms Gaussian Minimum Shift Keying Digital modulation Slow frequency hopping Time division Code division Digital was only the start for security in 2nd Generation TWNs … 27 2nd Generation System Architecture AUC EIR BTS BTS HLR BSC MS MSC/ VLR BTS BTS MS (in­ cludes SIM) 1/21/2010 1/21/2010 SS7 Network BSS SMS­ GMSC Um Security focus in 2nd Gen TWNs on the Um interface (BTS­ MS/ME) ISDN CSPDN BSC A Interface PSTN OSS NSS PSPDN Public Network Significant level of security to right of A Interface based on limited physical access 28 Location of the ME Subscriber is uniquely identified by the IMSI in the SIM TWNs use IMSI to route calls Network knows where each IMSI is at all times • Each time user crosses cell boundary, ME notifies new IMSI location Enables network to route incoming calls correctly There is a one­to­one mapping between IMSI and subscriber identity Geographic location of subscriber is easily determined GSM provides protection through use of Temporary Mobile Subscriber Identity (TMSI) Note: GPS chips are mandatory in US cellphones since 2004 • Enable location services • Can also be used by law­enforcement authorities 1/21/2010 1/21/2010 29 GSM Key Establishment GSM uses a 128­bit preshared secret key • Secures interface between BTS and ME There is no key establishment protocol in GSM security architecture model Each SIM has a unique key – Ki • Stored in SIM and in the Authentication Center (AUC) 1/21/2010 1/21/2010 30 GSM Authentication SIM card with stored A3, A8, IMSI, Ki 8.Verify SRES 1.Sign on 2.Request security triplets 6.Send RAND 7. Send SRES ME Security triple contains: • • 128­bit random number RAND Session key Kc (64­bit) • 1/21/2010 1/21/2010 HLR MSC 4.Send Ki 3.Request Ki Encryption key generated using Ki and the A8 algorithm 32­bit signed response to RAND – SRES BTS/BSC 5.Send 5 triples Generated using Ki and session key Kc AUC MSC picks one triple and sends RAND from that one to ME ME generates SRES using stored Ki and the A3 and A8 algorithms •Inherent trust between HLR/MSC, MSC/BSC, and BSC/BTS •Security focus is on radio interface only 31 GSM Authenticates the SIM The network authenticates the SIM, not the subscriber • Ki is stored in the SIM and the AUC Stolen ME can be identified from the Equipment Identification Register (EIR) • • • 1/21/2010 1/21/2010 Subscriber must report stolen ME to EIR MSC must check EIR for problems with ME Could do a similar thing for stolen SIMs 32 The GSM Security Algorithms A3 and A8 are only labels Service provider is free to use any algorithm they want for A3 and A8. • A3 Functionality • A8 Functionality COMP128 is GSM Spec reference algorithm Generates 32­bit SRES and a 54 bit number 10 zeros added to 54 bit number to generate Kc While authentication process is between ME and servicing MSC, the MSC goes to the HLR for the ME • Home network indirectly does the authentication • 1/21/2010 1/21/2010 Ki (128­bit) and RAND (128­bit) inputs to A8 Kc (64­bit) output from A8 Note that inputs are the same Most service providers use the same algorithm for A3 and A8 • Ki (128­bit) and RAND (128­bit) inputs to A3 SRES (32­bit) output from A3 HLR and SIM “belong” to the same service provider Allows seamless roaming 33 GSM Confidentiality Generation of Session Key Kc provides a security context • Kc is used to provide confidentiality over the radio interface • Packet encryption of air interface uses A5 algorithm A5 is a real algorithm, specified in GSM standard Roaming requirement is behind use of a real algorithm here • Home network is not involved in encryption of the ME/BTS transmission • All service providers must use same algorithm to allow roaming to work A5 is a streaming algorithm • Generates unique key stream for every packet Uses K and frame sequence number as input c Confidentiality depends on keeping K secret c • GSM allows Kc to be changed at regular intervals or as required by service provider A5 is implemented in the Mobile Equipment • Not in SIM, where A3 and A8 are implemented 1/21/2010 1/21/2010 34 GSM Vulnerabilities – Biggest GSM Concerns Concerns Principle vulnerability – No integrity protection • Man­in­the­middle attacks are possible Major concern • Encryption limited to radio interface Based on 1980s assumption that only the air interface needed to be protected Link between Base Station Controller (BSC) and BTS is often a microwave route • Attractive target for attackers 1/21/2010 1/21/2010 35 GSM Vulnerabilities – A5 Algorithm • Encryption algorithms are weak Not published • Encryption algorithms strongest when open to public review Originally constrained by export limits on cryptography A5 algorithm can be compromised within hours • • • • Secure enough for real­time communications Encryption of recordings can be broken easily Short length of key (effectively 54 bits) is major issue Technically multiple A5 algorithms A5 originally too strong for export A5/1 has effective key length of 54 bits A5/2 has effective key length of only 16 bits • GSM Security Algorithm is inflexible 1/21/2010 1/21/2010 Very difficult to change algorithms Difficult to increase key length 36 GSM Vulnerabilities – One Way GSM Authentication Authentication Network verifies identity of Mobile Equipment (ME) No provision for ME to verify identity of network “Rogue” BTS could masquerade as a “good” network • Not credible in late 1980s • Real possibility today 1/21/2010 1/21/2010 37 GSM Vulnerabilities – Real Attacks SIM Cloning • Goal – get subscriber’s key – Ki from SIM card Can be used to listen to calls Service theft • Call’s placed with Ki will get billed to that subscriber • Mechanism Send list of chosen plaintexts to SIM as challenges (RAND) • See Step 6, Chart 9 SIM A8 generates/sends SRES responses to challenges • • • • Gives attacker plaintext/ciphertext pairs If A8 is COMP128 reference algorithm AND If RANDs are chosen carefully THEN Ki can be discovered Attack can succeed in hours, with PC and physical access to the smart card Can be launched wirelessly over the air interface • Attacker masquerades as a rogue BTS Alternate approach • Have AuC generate SRES of given RANDs instead of SIM • Exploits lack of security in SS7 network 1/21/2010 1/21/2010 38 General Packet Radio Service General (GPRS) 2.5G GSM Architecture (GPRS) BTS MS BTS HLR BSC SGSN BTS BSC Gb Interface MS BTS Ln Interface GGSN Abis Interface Public Land Mobile Network (PLMN) Gi Interface Gn Interface SGSN: Serving GPRS Service Node GGSM: Gateway GPRS Service Node Provides Data Connectivity to Web Servers at OSI Layer 2 (point­to­point) 1/23/2010 1/23/2010 39 Observations on 2.5 G Data Voice is typically highly compressed • Signal processing uses no more than ~8 kb/s per voice circuit • 2.5G data typically several times higher than 8 kb/s 1/23/2010 1/23/2010 GSM/TDMA – assign multiple time slots CDMA – assign multiple codes or allocate fractional or whole spread spectrum to data 40 Security Implications of Security GSM/GPRS Approach GSM/GPRS Pa k Pac Pa et 2 P ac Mobile Station Pa ck t 1 cke k et BTS 3 et cke k P ac 1 t 2 et 3 Defragmented Packets SGSN Multiple timeslots may belong to different BTSs • Roaming could cause this Solution: Move encryption/decryption from BTS to SGSN • SGSN is equivalent of VLR and MSC Effectively protects against eavesdropping between BTS and SGSN 1/23/2010 1/23/2010 41 Wireless Application Protocol (WAP) Web browsing typically requires higher bandwidths (100s of Kb/s to Mb/s) than GPRS can support Mobile phones can’t support • • • Bandwidth constraints CPU processing speed constraint Screen size constraint Solution: Wireless Application Protocol (WAP) • Open spec for accessing Internet content and services • Designed for Mobile phones/smart phones/PDAs 1/23/2010 1/23/2010 42 Mobile Device GSM GPRS Remote Access Server (ISP) 1/23/2010 1/23/2010 WAP Gateway WTLS TCP IP WTP Service Provider WAE = Wireless Application Environment WSP = Wireless Service Protocol WTP = Wireless Transport Protocol WTLS = Wireless Transport Layer Security WDP = Wireless Datagram Protocol Internet Link WAE WSP WTP WTLS WDP IP PPP CSD­RF End­to­end security using Wire­ less Transport Layer Security (WTLS) Radio Link Mobile Device Protocol Stack WAP Network Architecture/ WAP Protocol Stack Protocol Typically a wired connection Web Server TCP IP Internet Server WAP gateway reformats data for ME End­to­End Security achieved through WTLS 43 WTLS Protocol (Client) 1. 2. 3. 4. (Server) Client Hello Server Hello; Server Certificate; Server Key Exchange; Certificate Request; Server Hello Done Client Certificate; Client Key Exchange; Certificate Verify;[Change Cipher Spec]; Finished Change Cipher Spec; Finished Application Data • Modeled along lines of SSL/TLS • Modifications, for wireless environment 1/23/2010 1/23/2010 •Datagrams may be lost, duplicated, … •Long round trip times/limited bandwidth •Limited capability of ME (relative to a PC) 44 Recall: Active or Mobile Code Active or Mobile code = code that is pushed to a client for execution • Scripts (replace communication from client) Malicious user monitors browser/server communication Sees how changed web page entry affects browser and how server reacts Malicious user then manipulates server’s actions, e.g. using CGI script to obtain a password, or initiate action • Java Code Hostile applet can harm client’s system • Not screened for safety • Runs with privileges of invoking user • ActiveX – Microsoft’s answer to Java 1/23/2010 1/23/2010 Authentication verifies source of code but not it’s correctness or safety WAP can check certificates before allowing execution of Active or Mobile Code 45 UMTS (3G) Security Design uses GSM security as starting point • Adopt the best features • Redesign the weak features • Promotes interoperability between GSM and UMTS elements Anonymity • Recall GSM IMSI/TMSI Temporary ID (TMSI) used as much as possible to protect subscriber identity • Key Principle: Encrypt anything over the air that could reveal the subscriber identity Issue • ME identifies itself first by it IMSI • TMSI should only be allocated by MSC/VLR AFTER encryption has started • Encryption can’t start until Cipher Key (CK) is established • CK cannot be established until subscriber is IDd by IMSI 1/23/2010 1/23/2010 Conflict?! 46 Not a Conflict TMSI has only local significance • Allocated by VLR/MSC • IMSI/TMSI mapping maintained in the VLR/MSC When roaming to a new area, subscriber continues to use the only TMSI • New VLR/MSC doesn’t recognize • In UMTS, the new VLR/MSC tries to get the IMSI from the old VLR/MSC • If, and only if, IMSI is not available, does the new VLR/MSC required the user to go through the full identification process 1/23/2010 1/23/2010 New VLR can usually get info from old VLR 47 Potential Additional Source of Identify Potential Compromise in UMTS Compromise Sequence Number (SQN) used by ME in authenticating network • Compromise can also trace a subscriber Network maintains a per­subscriber SQN list Incremented sequentially Solution: • 1. Encrypt SQN • 2. Use Authentication Key (AK) in Authentication and Key Agreement (AKA) process 1/23/2010 1/23/2010 AK derived independently at USIM and VLR/MSC AK is never transmitted over the air •There is no key establishment process in UMTS •Uses preshared secret key between USIM and AuC •Just like 2G, and 2.5G 48 UMTS Authentication Process Almost identical to GSM process (Charts 9­10) One significant difference – authentication is mutual • Network authenticates ME (technically the USIM) • ME (USIM) authenticates network 1/23/2010 1/23/2010 49 UMTS Authentication 12. Compute CK and IK 9. USIM Authenticate Network. Compute RES USIM 11. Compare RES/XRES MSC 13. Select CK and IK 1.”Sign on” 8.RAND/AUTN (from MSC) ME Node B RNC Authentication vector is a “security quintet” 1/23/2010 1/23/2010 n en Au erate t Ve henti /Sen cto c d r(s ation ) RAND (128­bit random number) SRES (32­bit signed expected response to RAND) CK (128­bit Cipher Key (or encryption key) IK (128­bit Integrity Key) AUTN (128­bit Network Authentication Token containing AK) 2. R eq aut ues t v ec hent i t or c ati o s 6.G 10. RES • • • • • VLR 7. Store Authentication Vector(s) & Send first 3.Generate RAND & SQN HLR 4.Request Ki, XRES 5.Send Ki, XRES AUC AK = Anonymity Key XRES = eXpected subscriber RESponse • Security focus is no longer only on radio interface only •Mutual authentication between network and mobile equipment 50 Authentication Vector (AUTN) Authentication Generation Process* at HLR Generation Generate Sequence No. SQN Key K (from AuC) Authentication Management Field (AMF) Generate Random No. RAND f1 1/23/2010 1/23/2010 f3 f4 f5 MAC (Message Authentication Code) f2 SRES CK IK AK (Anonymity Key) Five different functions generate five values from 2 inputs (3 for f1) Authentication Token (AUTN) = SQN (+) AK || AMF || MAC Security Quintet = RAND, XRES, CK, IK, AUTN = Authentication Vector Item 6. on preceding chart * 51 USIM Response Generation* SQN AK fS RAND SQN f2 f3 f4 RES CK IK Goals of the process: • • • 1/23/2010 1/23/2010 f1 XMAC MAC AUTN (from HLR/AuC) AK K (stored In USIM) AMF Verify that XMAC matches MAC received in the Network Authentication Token Verify that SQN from network is in the correct range Compute RES to send to network, for network to verify USIM Item 9. on chart 28 * 52 Results of UMTS Authentication Three keys established/agreed between USIM and network • CK = 128­bit Cipher Key for confidentiality • IK = 128­bit Integrity Key for maintaining integrity • AK = Anonymity Key for protecting anonymity of subscriber •GSM left choice of authentication algorithms to service provider •Recommended COMP128 •UMTS leaves choice of authentication algorithm to service provider •Provides example: MILENAGE 1/23/2010 1/23/2010 53 Confidentiality – Encrypting the Confidentiality UMTS Bitstream UMTS COUNT­C DIRECTION BEARER CK COUNT­C LENGTH f8 BEARER CK KEYSTREAM BLOCK PLAINTEXT BLOCK Sender = UE or RNC 1/23/2010 1/23/2010 DIRECTION LENGTH f8 KEYSTREAM BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Receiver = RNC or UE COUNT­C=32­bit ciphering sequence no. updated sequentially for each plaintext block BEARER=5­bit channel number for carrying end user’s traffic DIRECTION = 1­bit to indicate “uplink” or “downlink” traffic LENGTH=16­bit number giving size of the block •Extends encryption protection from ME all the way to RNC •Eliminates vulnerability of microwave link between RNC and Node B •Applies to all subscriber traffic plus all signaling messages 54 Integrity Protection of the UMTS Integrity Bitstream Bitstream COUNT­I DIRECTION MESSAGE IK FRESH f9 MAC­1 Attached to message by Sender = UE or RNC 1/23/2010 1/23/2010 COUNT­I DIRECTION MESSAGE CK FRESH f9 XMAC­1 Calculated by Receiver from message COUNT­I=32­bit integrity sequence no. updated sequentially for each plaintext block that is integrity protected BEARER=5­bit channel number for carrying end user’s traffic DIRECTION = 1­bit to indicate “uplink” or “downlink” traffic FRESH=32­bit per­connection nonce •Receiver compares MAC­1 and XMAC­1 to verify integrity of message •Applied to all except specifically excluded set of signaling messages •Integrity of number of user packets sent is protected by checking sequence nos. •Protects against insertion/deletion of voice packets 55 TWN/DOWN Convergence Integration of Voice and Data clearly arriving with 2.5G networks 3G network more closely tied to IP­based networks • SS7 signaling to be replaced with IP­based signaling 4G networks will be all IP UMTS MAPSEC model extends well to MAP over IP • Fundamental reason behind strong IPSec influence 1/23/2010 1/23/2010 56 Security in Wireless Local Area Networks (WLANs) 1/23/2010 1/23/2010 57 Initial Approach to WLAN Security WEP – Wired Equivalent Privacy • Original IEEE 802.11 security architecture and protocol • Intended to provide Confidentiality, Integrity and Authentication (C.I.A.) • 802.11 designed as a “wireless Ethernet’ • Aim of WEP – provide security “equivalent” to traditional wired LAN security Issue: What is “equivalent”? 802.3 security based on restricted access to the medium There is no way simple way to restrict access to the wireless media of 802.11 • Debate over what constitutes “equivalency” raged through the 90’s 1/23/2010 1/23/2010 WEP discovered to be a disaster in 2002! 58 TWN/802.11 Comparison Similarity • TWNs and 802.11 security focuses on wireless medium in access network Last hop Differences • TWNs enable wireless subscriber to communication with any other subscriber Wireless or wired Anywhere in the world Support seamless roaming over large geographic area • 802.11 concerned only with last­hop connectivity No concept of end­to­end connectivity • Each packet independently routed 1/23/2010 1/23/2010 Small geographic coverage Limited support for roaming Scope restricted to wireless access network only 59 802.11 Key Establishment Protocol Does not exist! 802.11 depends on preshared keys • Keys stored in mobile nodes (STAs) and Access Points (APs) No specification for how preshared keys are established • Assumed to be established “out­of­band” Key establishment process is outside scope of WEP 1/23/2010 1/23/2010 60 802.11 Key Establishment Issues Keys must be manually entered into all STAs and the AP for a Basic Service Set (BSS) • Process is subject to manual error Human nature leads to weak, easy­to­guess keys • 90% of people didn’t even bother to turn on WEP All STAs plus WPA must have same set of keys • There is no way to assign unique keys to STAs within a BSS • Up to four keys are allowed Allows STAs to be divided into four groups Most real­life deployments use same key across all BSSs in an Extended Service Set • Simplifies roaming • Makes key more susceptible to exposure 1/23/2010 1/23/2010 •Key establishment is one of the toughest problems in network security •802.11 designers did not anticipate seriousness of issue •Would not have been as serious if 802.11 were not so successful 61 Anonymity in 802.11 Subscriber anonymity is a major concern in TWNs • IMSI used for call routing • IMSI maps to individual subscriber Most data networks have evolved from IP • • • Subscriber anonymity is not a major concern IP address used for call routing Not normally any permanent mapping between subscriber and IP address IP addresses are dynamically assigned by DHCP • Can and do change with time Use of Network Address Translation (NAT) adds another layer of protection •How will the switch from IPv4 to IPv6 change this? 1/23/2010 1/23/2010 62 Authentication in 802.11 Physical control of access to wired medium is strong No physical access control in wireless world 802.11 Authentication Process • APs broadcast beacons (periodically) Management frames announcing existence of network Allow STAs to find and ID a network Beacon contains Service Set ID (SSID) • Uniquely Identifies a particular Extended Service Set (ESS) • STAs access APs through active or passive scan Passive – look for Beacons advertising network Active – send probe request asking for a beacon • SSID=0 means “I’ll take any network” Otherwise request A specific SSID (the norm) • AP responds with Probe Response if this STA is acceptable • Station or user chooses network, using either of two forms of authentication 1/23/2010 1/23/2010 Open System Authentication Shared Key Authentication Access control is a primary purpose of authentication 63 802.11 Open System Authentication STA 1. Authentication Request: Auth. Alg. = 0, Trans #=1 AP 2. Auth. Response: Auth. Alg. = 0, Trans #=2, Status=0/* Authentication request contains authentication algorithm the STA want to use (0 for OSA) If AP accepts OSA, it responds with authentication response • No check is done on ID of STA • Any station that wants to join can do so 1/23/2010 1/23/2010 If AP is configured to accept ONLY Shared Key Authentication AP can deny access to OSAS request •802.11 Default Authentication Algorithm •OSA = no authentication at all 64 802.11 Shared Key Authentication (SKA) STA 1. Authentication Request: Auth. Alg. = 1, Trans #=1 AP 2. Auth. Response: Auth. Alg. = 1, Trans #=2, Data = 128­byte random # 3. Auth. Resp: Auth. Alg. = 1, Trans #=3, Data = Encrypted (128­byte # rcvd)+STA IV 4. Auth. Resp: Auth. Alg. = 1, Trans #=4, Status=0/* SKA uses challenge­response system • Allowed stations share a secret key Key distribution method not specified • Station and AP must be WEP enabled Challenge text is 128­byte number • Generated at AP by pseudorandom number generator, using secret key plus AP Initialization Vector (IV) • STA encrypts random no. using WEP and its own IV for response (3.) and send encrypted no. and its IV • AP decrypts using preshared key and STA IV • If match, AP accepts STA as authenticated 1/23/2010 1/23/2010 •Strength of SKA depends on keeping shared key secret 65 Three Handoff Scenarios ty S) sibili m D te os les p Sys b ion Ena doff ibut tr n (Dis of ha rk etwo N ired W AP A 802.11 deals only with interBSA roaming. STA senses stronger signal from AP B than AP A as it crosses BSA A/BSA B boundary AP B r om ves f A m o 2. ST to BSA B A BSA 1. STA moves w ithin BSA (no changes) Basic Service Area A (BSA A) BSA B Extended Service Area (ESA) 3. STA moves to different ESA requires Layer 3, e.g. Mobile IP 1/23/2010 1/23/2010 STA disconnects from AP A, then connects to AP B as if it had never been connected to AP A 66 802.11 Handoff Issue Re­authentication from one AP to another causes significant delay • Second biggest contribution • Second only to channel scan/probe time Re­authentication delay is particularly problematic for real­time applications • • • • 1/23/2010 1/23/2010 Voice Music Streaming video … 67 802.11 Authentication Issues 802.11 Shared Key Authentication (SKA) mode uses same key shared among multiple STAs • There is no way to know which of several STAs are trying to authenticate • Difficult to remove a particular STA from a list of authorized STAs Requires changing/redistributing keys to all STAs Many deployments share same key among multiple Aps 802.11 SKA authentication is “one­way” • Network authenticates STA • STA cannot authenticate network Allows rouge AP to hijack STA session • • • Very plausible with APs that cost only $20­30 STA may not ever realize it has been hijacked AP can read all data passing through SKA is based on WEP • WEP has severe problems! 1/23/2010 1/23/2010 68 Analysis of Alternatives to SKA Authenticate only STAs that know the SSID • AP only respond to probe request containing the correct SSID for the AP • Prevents “wild­card” connections • Does not provide much security Base authentication on MAC addresses (address filtering) • • • AP maintains MAC addresses of all allowable STAs Only STAs with addresses in the list are allowed to connect Not very secure 1/23/2010 1/23/2010 SSID is the secret SSID easy for eavesdropper to obtain Most wireless access cards allow user to change the MAC address via software Easy for eavesdropper to listen, get a valid MAC address, and then change their own MAC address to one on the list These pseudo­authentication schemes are weak 69 Wireless Encryption Protocol (WEP) 3 1 Plain Text Concatenation MAC Protocol Data Unit MPDU 2 ICV ICV 4 bytes Calculate Integrity Check Value over length of MPDU Generate key seed Shared Initialization Key (1 Vector of 4, 3-bytes 40-bits*) Transmit 1/23/2010 1/23/2010 * 8 Ciphertext ICV = CRC­32(MPDU) 4 7 XOR 5 6 RC4 IV+Key ID 4-bytes Ciphertext Keystream 10 802.11 MAC Header 9 IV+Key ID 4-bytes Revised version allows 128­bit shared key Ciphertext = RC4 encryption of payload + ICV Ciphertext 70 WEP Decryption 10 MAC Protocol Data Unit Discard If no match 8 Deliver If match ICV MPDU ICV 4 bytes Calculate Integrity Check Value over length of MPDU and check for match 7 9 3 Shared Initialization Key (1 Vector of 4, 3-bytes 40-bits*) 1 Receive 1/23/2010 1/23/2010 * Ciphertext XOR 4 Generate key seed 6 5 RC4 802.11 MAC Header IV+Key ID 4-bytes 2 Ciphertext Keystream IV+Key ID 4-bytes Revised version allows 128­bit shared key Ciphertext 71 ...
View Full Document

This note was uploaded on 08/29/2011 for the course CSC 607 taught by Professor Dr.pradipp.dey during the Spring '11 term at National.

Ask a homework question - tutors are online