Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Wireless Security and Attack trees in Wireless Networks:

advertisement 
Wireless Security and Attack Trees For Wireless Networks
Wireless Security and Attack Trees For Wireless Networks:
By Ramakrishnan Subramanian,Scuola Sant’Anna,Pisa,Italy
A Brief Abstract
The paper’s main focus is to identify weaknesses in present wireless networks and to formulate
attack trees to represent them. The paper hopes to advocate a systematic approach to ensure wireless
security. The paper is nothing more than a tutorial to stimulate such an approach.
Table Of Contents
1.Introduction
2.Attack Tree Basics
3.Typical Security Flaws in Wireless Networks
4.High Level Wireless Attack tree
5.Solutions.
6.Conclusion
7.Bibliography.
1.Introduction:
In the wireless networks use scenario, there are enough security issues and breaches. Our aim is to
model attack trees for possible wireless threats and think possible solutions [1]. The paper is aimed at
giving students and designers a blue print to think and plan wireless system security before having an
implementation. It is better to start with all the issues clearly defined and then work on security as in
networks re-modellings are never easy. The paper deals with many issues from the basics to make it
possible for a wider section of fellow students to read. My intended audiences are fellow students
and juniors.
2.Attack Tree Basics:
2.1Attack Trees:
We focus on attack tree semantics and format. Attack trees have recently been systematically applied
to detect security flaws (Schneier00). An attack tree has a root node and sub nodes. The
network/enterprise security is the root of the tree. The possibilities of an attacker breaking in
iteratively and incrementally are represented as lower level nodes of the tree. Each attack tree shows
the way in which an attacker can gain access to root. There can be multiple paths.


Structure and Semantics:
A node has either
A set of attack sub goals which all must be achieved in order for the attack to succeed
represented as an AND decomposition.
A set of attack subgoals,any one of which needs to be achieved for the attack to succeed
represented as an OR decomposition.
We can have a graphical as well as textual representation. Throughout the paper I will follow the
textual one. Readers interested in graphical format can refer [1].




2.2Attack Patterns:
An attack Pattern is a generic representation of an attack and it contains
The overall goal of attack
The list of preconditions
The steps for carrying out the attack
The list of post conditions that becomes true when attack succeeds.
1
Wireless Security and Attack Trees For Wireless Networks
I will give the example of war driving. War Driving is driving around areas with some tools for
sniffing wireless airwaves and looking for open or unprotected networks. This can be represented as
War Driving to discover networks
Goal :Identify unprotected networks.
Precondition: Tool like Airsnort ,Netstumbler and open networks present
Attack:
OR1.Find network address of vulnerable networks and AP information
2.Find out about encryption schema, authentication mechanism
AND 1.Take even protected data and messages
2.Do cryptanalysis to find network secrets.
PostCondition:Attacker has information compromising network security.
This is a very elementary example but I hope it proves the point.
One can combine all this to form an attack profile. An attack profile takes a set of attack patterns to
identify common patterns. These common patterns can be used to analyze and formulate security
measures.
3.Typical Security Flaws in Wireless Network:
3.1Easy Access
1) Setting Ad-hoc wireless networks:
One can set adhoc wireless networks on the fly without any access points and security mechanisms.
This is most dangerous and most open to attacks, since it has no security considerations.
2) WLAN parameters for Authentication:
The service set ID (SSID). It is in fact the network id and even though only users and system
administrator know it it can be easily found in Sniffing.
SSID is an identification value programmed in the access point or group of access points to identify
the subnet. This segmentation of the wireless network in multiple networks is a form of an
authentication check. If a wireless station does not know the value, it can’t connect to that AP. When
a client computer is connected to the access point, the SSID acts as a simple password thus providing
a measure of security.
SSID security alone is very weak because the value is known by all network cards and access points,
and is easily accessibly through air and radio waves, since no encryption is provided. The access
point is configured to broadcast its SSID. When enabled, any client without SSID is able to receive it
and have access to the access point. Users are also able to configure their own client systems with the
appropriate SSID, because they are widely known and easily shared. Also since AP is not
authenticated a rogue AP can play a Man in the middle attack.
3.2WEP Algorithm:
Other important mechanism is using WEP (Wired Equivalent Privacy). This provides link integrity
in a wireless link as in wired. The following is network functioning with encryption support.
WEP Algorithm
WEP security protocol is intended to protect against eavesdropping and physical security attributes,
which is equivalent to security of a wired network. WEP is the encryption standard specified by
IEEE802.11 architecture. WEP encrypts a data frame and its content to protect authorized users on a
WLAN. WEP uses a 40-bit secret key for authentication and encryption, and other IEEE 802.11
allows 104-bit secret key encryption. The encryption key is concatenated with a 24-bit "initialization
vector," resulting in a 64- or 128- bit key.
2
Wireless Security and Attack Trees For Wireless Networks



When encryption is enabled, the access point issues an encrypted challenge packet to any client
attempting to connect to the access point. Then the client uses it’s key to encrypt the correct response
in order to authenticate it-self and gain network access. [3],[5]. The client computer and the access
point use the same key to encrypt and decrypt data. All WEP key on a wireless LAN must be
managed manually, because there are no key management protocols specified for distribution. WEP
security protocols can only be implemented on a client/server wireless LAN with an access point, it
cannot be utilize on a Peer-to-Peer.
WEP encryption has weaknesses, which are vulnerable to attacks. WEP keys are static for encryption
and authentication, making WEP susceptible to password replay attacks, traffic injection, and
statistical attacks. Hackers would exploit the weakness by intercepting traffic, flipping bits and
injecting modified packets into the network. Researchers Borisov, Nikita, Goldberg, Ian, Wagner,
David at University of California Berkeley discovered security flaws in WEP and their paper [3]
deals in detail all possible security flaws. It is a must read to understand WEP flaws. It is possible for
an attacker to change the destination in a packet to his own [4]. Thus the message intended for other
ends up with him and this leads to the attacker learning more about the network. The algorithm RC4
and IV are linear and thus one can change bits to crack the code faster with trial and error. Also IV’s
are repeated many times, especially due to power On .The Berkeley researchers have proved that this
ensures faster cracking of the code by helping in replay attacks.
3.3Poor Key Management:
There is no proper key management protocol. There are following issues [4]
How is key formed-Here poor key formation is a cause of concern?
Key Distribution
3.4Other Issues
For e.g: If an employee leaves a company and has a card he can come and capture data from
a nearby location. One way to prevent it is to use MAC address filter with ACL (Access Control
Locations) defined.
War Driving:
This is an elementary but an important issue. Drive around with a Wireless receiver and use a device
like netstumbler or there are many others, Airsnort is considered very good. Netstumbler will give
you information about wireless networks which have a default installation, SSID, Whether
encryption ON, BSSID.Well even a basic hacker can eavesdrop and get a lot of information. Airsnort
goes a step ahead and makes it possible to decrypt keys after collecting a large amount of data.
4.Summary of Wireless Weaknesses in the form of a High-level wireless attack tree:
Root: System/Enterprise Security.
OR 1.Data snooping
OR1.1Read Message/Plain text
1.2Get the plain text/Encryption key from message
1.3War Driving
2.Authentication
OR2.1 Obtain Connection
2.2Open system authentication (faking SSID)
3.Network Access
OR3.1Knowledge of MAC Address filter
3.2 Ability to change MAC Address with software
3.3 All layer 3 Knowledge like Gateway, Subnets, and Firewall.
3
Wireless Security and Attack Trees For Wireless Networks
4.Inside the network
AND4.1Port, Services, OS scan
4.2 Password crack and session establishment.
5.Denial Of Service Attacks
OR 5.1 Jamming
The above is an open ended tree and by no means complete. There will be certainly other paths for
attack.
5.Solutions:
a. Mutual Authentication (to prevent Man in the middle Attack). A shared key authentication is
recommended in comparison with open system authentication.
b. Using a RADIUS Server. After authentication at AP, the user needs to logon to network at
RADIUS Server.
c. Decouple Authentication from Encryption. Have a random challenge packet (That is after
authentication change the session key and transmit it back to user). Use a one-way hash function to
relay the challenge and response.
d. Use of VPN to provide access within the network is preferable, as it will ensure user
authentication again. Present VPN can create problems when user roams from one AP to another but
there are solutions too in the market like vicatores etc.
e. Don’t broadcast SSID from an AP unless encryption is present.
f. Multiple Layers of security.
6.Conclusion
The challenges are many to confront these problems. Today we just face the scenario of breaking
into wireless networks. Soon it will be viruses and Trojan horses. Again Organizations linked to
wireless compromise their wired network security. Soon Voice over IP services will be run on
wireless networks. How much security overhead can be permitted in such similar real time
applications. The paper raises many such questions rather than answers. I hope the solutions will
come from many researchers.
1)
2)
3)
4)
5)
6)
7)
8)
7.Bibliography:
Attack Modelling for Information Security and Survivability by Andrew P.Moore, Robert J
Ellison, and Richard C. Linger.
Dell Corporation. "802.11 Wireless Security in Business Networks." September 2001.
Borisov, Nikita, Goldberg, Ian, Wagner, David; "Intercepting Mobile Communications: The
Insecurity of 802.11." August 2001
Arbaugh, William; Narendar Shankar and Y. C. Justin Wan. "Your 802.11 Network has no
Clothes." 30 Mar 2001
Fluhrer, Scott; Mantin, Itsik; and Shamir, Adi. 2001. "Weaknesses in the Key Scheduling
Algorithm of RC4
University of California, Berkeley. Computer Science Division. "Security of the WEP
Algorithm
IEEE 802.11 Working Group Recommendations, Standards
Stubblefield. Adam & Ioannidis, John & Rubin, Aviel D. "Using the Fluhrer, Mantin, and
Shamir Attack to Break WEP
4
Related documents
Dr. Luk R. Arnaut
Dr. Luk R. Arnaut
Wireless structural health monitoring system(Literature review
Wireless structural health monitoring system(Literature review
wireless - Home and Learn
wireless - Home and Learn
Tutorial 7 - Prince Sultan University
Tutorial 7 - Prince Sultan University
17.1 Case Study Worksheet1
17.1 Case Study Worksheet1
Security_Protocol_Lesson
Security_Protocol_Lesson
Wireless Networking & Security
Wireless Networking & Security
Internet Protocol - Blog Unsri
Internet Protocol - Blog Unsri
Download
advertisement