Shehla and Furquan's slides

advertisement
Wireless Networks:
Challenges, Threats and
Solutions
Shehla Rana
Furquan Shaikh
1
Talk Outline
• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
• IEEE 802.11 Security Tools
2
Wireless Networks
• Computing and communication
services, over the air, on the move
• Infrastructure-based Networks
• Ad hoc Networks
3
Infrastructure Mode
• Single hop wireless connectivity
o An Access Point is responsible to communicate with
end-points in its “jurisdiction”
Wired Network
Wireless AP
4
Mobile Ad Hoc Networks
(MANET)
•
•
•
•
No access point
Network formed by multiple wireless end-points
Multi-hop wireless links
Data must be routed via intermediate nodes
• Host movement/ topology change may be
frequent
A
B
A
B
5
Why Ad Hoc Networks ?
• Setting up of fixed access points and
backbone infrastructure is not always
viable
o Infrastructure may be
absent/destroyed in a disaster area or
war zone
o Easy, fast deployment
o Do not need backbone infrastructure
support
6
Wireless Mesh Networks
(WMN)
• No Access Point
• Multiple, autonomous wireless end-points
relaying data for each other
• Little or no mobility
• Long-term applications
• Weaker energy constraints
7
Wireless Sensor Networks
(WSN)
• A class of Ad-hoc/mesh networks
• Composed of small, inexpensive,
resource constrained devices
• Sensing data usually directed towards a
single “Sink”
• Multi-hop wireless links
8
Talk Outline
• Introduction to wireless networks
• How is Wireless different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
9
How is wireless different?
• Can we apply media access methods
from fixed networks?
o CSMA/CD?
o Send when medium is free, listen into the
medium for collision
• Medium access problems in wireless
networks
o sender may apply CS and CD, but collisions
happen at receiver
o sender may not ‘hear’ the collision, i.e., CD
doesn’t work
o CS might not work, e.g. ‘hidden’ terminals
10
MAC: Collision Avoidance
• Collision avoidance: Once channel
becomes idle, wait for a randomly
chosen duration before attempting to
transmit
• IEEE 802.11
o When transmitting, choose a backoff in range
[0,cw];
o Count down backoff when medium is idle
o Count-down suspended if medium becomes
busy
o When backoff interval reaches 0, transmit
11
Talk Outline
• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
12
Misbehavior in Wireless
NWs: Outline
• Misbehavior at the MAC layer
o Impatient Transmitters
o Solutions and Challenges
• Misbehavior at the network layer
o Drop, corrupt packets
o Misroute packets
o Solutions and Challenges
13
Possible Misbehaviors:
“Impatient” Transmitters
Access Point
• Choose smaller Backoff
• Cause collisions with
other hosts’ packets
Wireless
channel
A
B
• Those hosts will exponentially backoff on
packet loss, giving free channel to the
misbehaving host
• Must diagnose and discourage!
14
Solution 1: Passive
Observation
•
Receiver observes sender behavior. Are
backoffs too short?
•
Challenge: Receiver does not know exact
backoff value chosen by sender
o Sender chooses random backoff
o Hard to distinguish between maliciously chosen
small values and a legitimate value
o How long must receiver observe?
15
Solution 2: Rx driven
Backoff
• Remove the non-determinism
• Receiver provides backoff values to
sender
o Receiver specifies backoff for next packet in
ACK for current packet
o Backoffs of different nodes still independent
o Uncertainty of senders backoff eliminated
16
Misbehavior in Wireless
NWs: Outline
• Misbehavior at the MAC layer
o Impatient Transmitters
o Solutions and Challenges
• Misbehavior at the network layer
o Drop, corrupt packets
o Misroute packets
o Solutions and Challenges
17
Drop/Corrupt/Misroute
• A node “agrees” to join a route
(for instance, by forwarding route request/reply) but
fails to forward packets correctly
• Why: Conserve energy, overload, launch a
denial-of-service attack
18
Solution: Watchdogs
• Exploit broadcast nature
• Verify whether a node has forwarded a packet or
not
B sends packet to C
A
B
C
D
E
19
Watchdogs at Work
• B can ‘hear’ whether C has forwarded packet or
not
• B can also know whether packet is tampered with
if no per-link encryption
B overhears C
Forwarding the packet
A
B
C forwards packet to D
C
D
E
20
Watchdog At Work
• Forwarding by C may not be immediate: B must
buffer packets, and compare them with overheard
packets
• If packet stays in buffer at B too long, a “failure tally”
for node C is incremented
• If the failure rate is above a threshold, C is
determined as misbehaving, and source node
informed
21
Watchdog Approach:
Challenges
• Impact of Collisions
• If A transmits while C is forwarding to D, B will not
know
C forwards packet to D
A
B
C
D
E
22
Watchdog Approach:
Challenges
• Reliability of Reception Not Known
• Even if B sees the transmission from C, it cannot
always tell whether D received the packet reliably
 Misbehaving C may reduce power such that B can
receive from C, but D does not
C forwards packet to D
A
B
C
D
E
23
Watchdog Approach:
Challenges
• Misdirection of Packets
• C forwards packets, but to the wrong node!
• With DSR, B knows the next hop after C, so this
misbehavior may be detected
• With other hop-by-hop forwarding protocols, B
cannot detect this
A
B
C
D
E
F
24
Solution 2: Exploiting
Path Redundancy
• Design routing algorithms that can deliver data
despite misbehaving nodes
• “Tolerate” misbehavior by using disjoint routes
• Prefer routes that deliver packets at a higher
“delivery ratio”
25
Best-Effort Fault Tolerant Routing
(BFTR)
• The target of a route discovery is required to
send multiple route replies (RREP)
o The source can discover multiple routes
(all are deemed feasible initially)
1. Source chooses a feasible route based on the
“shortest path”metric
2. Source uses this route until its delivery ratio falls
below a threshold (making the route infeasible)
3. If existing route is deemed infeasible, go to (1)
26
BFTR: Issues
•
A route may look infeasible due to temporary
overload on that route
• The source may settle on a poorer (but feasible)
route
• No direct mechanism to differentiate misbehavior
from lower capacity routes
27
Solution 3: Micropayments
•
•
•
•
Provide incentive for relaying packets
A trusted third party: Accounting center
Three phases:
Communication:
o Source/dest issue payment receipts to intermediate
nodes
• Receipt Submission:
o Relays claim their payments
• Payment Redemption:
o AC processes the receipts and issues payment
28
Route Tampering Attack
• A node may make a route appear too long or
too short by tampering with RREQ
• By making a route appear too long, the node
may avoid the route from being used
o This would happen if the destination replies to
multiple RREQ
• By making a route appear too short, the node
may make the source use that route, and then
drop data packets (denial of service)
29
Wormhole Attack
• Attacker makes a wireless ‘link’ appear
in the network when there isn’t one
• Not necessarily detrimental, since the
additional link can improve
performance
• Attacker assumes control on the fate
of the traffic
o May analyze traffic
o Collect traffic for breaking encryption
30
Wormhole Attack
• Host X can forward packets from F and E unaltered
• Hosts F and E will seem ”adjacent” to each other
• The fact that AFE really is AFXE will not be detected
E
F
A
B
X
C
D
31
Solution: Packet Leashes
• Additional information added to packets to restrict
maximum transmission distance of a packet
• Geographical leashes
o RX checks distance from the sender
o Signature to authenticate sender location, timestamp
o Distance too large, reject the packet
• Temporal Leashes
o Sender timestamps the packet, and receiver
determines the delay since the packet was sent
o If delay too large, reject the packet
o Sender cannot know MAC delays
32
Wireless Misbehavior:
Summary
• Hosts may be misbehave or try to compromise
security at all layers of the protocol stack
• MAC Layer
o Disobey protocol specifications for selfish gains
o Denial-of-service attacks
• Network Layer
o Disrupt route discovery/maintenance
o Force use of poor routes (e.g., long routes)
o Delay, drop, corrupt, misroute packets
33
Talk Outline
• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
34
Wireless Security
Vulnerabilities
•
•
•
•
•
•
•
•
•
Traffic Analysis
Passive Eavesdropping
Unauthorized Access
Man-in-the-middle
Session Hijacking
Replay Attack
Rogue AP
DoS Attacks
Pollution Attacks
35
Traffic Analysis
• Need:
o A wireless card in promiscuous
listening mode
• Threats:
o Detect activity on the network
o Using AoA, get physical location of
transmitter
o Type of protocols under use
36
Passive Eavesdropping
• No physical security
protects against this!
City of London - WLAN Traffic Surveyed
350
Unencrypted
Encrypted (WEP)
300
250
# of Access Points
• More than 50% APs
use no encryption
• Attacker can get:
Actual data
Source, destination,
timing of packets
200
150
100
50
0
2001
2002
37
www.rsa.com/rsalabs/.../kaliski-wireless-security-wwc-2003.ppt
Man-in-the-middle Attack
• Real-time attack
• Read/modify data in transit
o Violate integrity
38
Session Hijacking
• Attacker takes an authenticated session
• Target assumes its session is broken/lost
• Attacker can use the session for anything,
for any amount of time
• Real time attack
• Integrity of session
39
Session Hijacking
Wired
Network
Target
Attacker
Target
Wired
Network
40
Replay
• Similar to session hijacking except timing!
Wired
Network
Target
Attacker
Wired
Network
Target
Attacker
41
Summary
• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
42
WEP
Introduction to WEP
• Original security protocol for IEEE 802.11 standard
• Wired Equivalent Privacy – Create the “privacy
achieved by a wired network”
• Considered as secure as a wired network
• Primary Goal: Protect the confidentiality of user
data from eavesdropping
• Based on RC4 algorithm, which is a symmetric key
stream cipher
WEP - Secret Key
• Relies on a secret key that is shared between a
mobile station and an access point
• Encrypt packets before they are transmitted, and
an integrity check to ensure that packets are not
modified during transition
• Same key shared between all mobile stations and
an access point in a network
WEP - Authentication
Authenticate (request)
STA
Authenticate (challenge)
Authenticate (response)
Authenticate (success)
AP
Stream Cipher Operation
Electronic Code Book
Mode
Initialization Vectors (IV)
• Used to alter the key stream
• Numeric value that is concatenated to the base
key before the key stream is generated
• Every time IV changes, so does the key stream
• 802.11 standard recommends that IV change on a
per-frame basis
• If same packet is transmitted twice, the resulting
cipher-text will be different for each transmission
Encryption with IV
WEP Encryption
Message
• Checksum – uses CRC32
• Encryption – uses RC4
• Transmission – ciphertext
appended with IV
CRC
XOR
Keystream = RC4(IV,k)
IV
Ciphertext
WEP Decryption
IV
Ciphertext
XOR
Keystream = RC4(IV,k)
Message
CRC
Goals of Security
•
•
•
•
•
Authentication
Access control
Replay Protection
Message modification detection
Message privacy
1) Authentication
• It is one party proving to other that he/she really is
who they claim to be.
• Requirements:
(1)
(2)
(3)
(4)
Robust method of proving identity that cannot be spoofed
Method of preserving identity over subsequent transactions that cannot
be transferred
Mutual authentication
Authentication keys independent from encryption keys
How rule 1 fails?
• P XOR K = C
STA
• C XOR P = K
AP
Bad STA
2) Access Control
• Process of allowing or denying a mobile device to
communicate with the network
• IEEE 802.11 does not define any access control
mechanism
• APs might use a list of acceptable MAC addresses
• Problem? MAC address can be easily spoofed
• Last line of defense? On receiving an IV error, deny
access to that station
3) Replay Detection
• Legitimate user actions captured by an attacker
• Attacker replays the message ( login response
message spoofing the MAC address )
• WEP should allow only one copy of a message to
be accepted EVER
• No protection whatsoever in WEP
Replay Attack
Good guy STA
Authorized WEP communications
Eavesdrop and record
Good guy AP
Play back selections
Bad guy (STA or AP)
4) Message modification
• To prevent tampering, WEP includes a check field
called integrity check value(ICV).
• Problem? CRC method used to compute the ICV is
called a linear method
• Thus, C (M XOR M’) = C(M) XOR C(M’)
• Possible to predict what bits in ICV change on
changing a bit in data
Message modification
• Let the message-CRC pair be <M, C(M)>
• The corresponding ciphertext would be:
Ciph(M) = <M,C(M)> XOR K = K XOR <M,C(M)>
•
Suppose we want to change M by d:
Ciph(M) XOR <d,C(d)>
= K XOR <M,C(M)> XOR <d,C(d)>
= K XOR <M XOR d, C(M XOR d)>
= K XOR <M’, C(M’)>
= Ciph (M’)
5) Privacy
• Weaknesses in the way RC4 is used in WEP:
1)
2)
IV Reuse
Weak RC4 keys
Key Reuse
• Encrypting two messages with same IV and key can
reveal information about both messages:
C1 = P1 XOR RC4(IV,k)
C2 = P2 XOR RC4(IV,k)
C1 XOR C2 = P1 XOR P2
Key Reuse - Problems
• XORing the two ciphertexts causes the keystream to
cancel out.
• If one plaintext is known, other can be easily
calculated
• Real-world plaintexts have enough redundancy so
that one can recover both P1 and P2
• Known techniques for solving such plaintext XORs
by looking for two English texts that XOR to given
value P1 XOR P2
How WEP deals with
this?
• Use a different IV for every packet that is
transmitted
• Problem?
o IV is sent in plaintext form along with the transmitted packet
o Attacker knows the IV as well
Possible Attack
Key rarely changes.
IV size is 24 bits.
Reuse of IV causes reuse of RC4 keystream
Since IV is public, duplicate IVs can be easily
detected by the attacker
• Over a period of time, attacker can collect IVs and
corresponding ciphertexts
•
•
•
•
RC4 Weak Keys
• RC4 has weak keys
– Greatly aids crypto analysis
– There are standard techniques to avoid the
weak keys but WEP does not use these
techniques.
• Airsnort and Wepcrack tools leverage weak
keys
IEEE 802.11i
Introduction to 802.11i
• Addendum to the base standard that specifies new
generation of security
• Defines a new type of wireless network called
Robust Security Network(RSN)
Goals
• Replace WEP by protocol that properly uses
encryption
• Add proper authentication
• Add data authenticity and integrity
• Tie data link keys to authentication
• Manufacture “fresh” keys
Security Service
Dependencies
Authentication
Authorization
Data Integrity
Data Confidentiality
802.11i Architecture
Data
802.1X
Controlled
Port
Data Link
802.1X
Authenticator/Supplicant
802.1X
Uncontrolled
Port
MAC_SAP
WEP/TKIP/CCMP
MAC
Physical
PHY
PMD
TK
802.11i State Machines
PTK  PRF(PMK)
(PTK = KCK | KEK | TK)
Station Management
Entity
Operation
Station
Authentication Server
Access Point
Security capabilities
discovery
Security negotiation
802.1X authentication
802.1X key management
RADIUS-based key
distribution
Data protection
72
Discovery phase
• Determine promising parties with whom to
communicate
• AP advertises network security capabilities to STA
via beacon and probe response
o SSID in Beacon, Probe provides hint for right
authentication credentials
• Performance optimization only; no security value
o RSN Information Element advertises
• All enabled authentication suites
• All enabled unicast cipher suites
• Multicast cipher suite
• STA selects authentication suite and unicast cipher
suite in Association Request
802.1x Authentication
• STA determines whether it indeed does need to
communicate
• Mutually authenticate STA and AS
• Generate master key as a side effect of
authentication
• Use master keys to generate session keys =
authorization token
Discovery and Authentication
Station
Probe Request
Probe Response + RSN IE (AP supports
CCMP Mcast, CCMP Ucast, 802.1X Auth)
802.11 Open System Auth
802.11 Open Auth (success)
Association Req + RSN IE (STA
requests CCMP Mcast, CCMP Ucast,
802.1X Auth)
Association Response (success)
Access
Point
RADIUS phase
• AS moves session key(PMK) to STAs AP
802.1x Key Management
•
•
•
•
•
Bind PMK to STA and AP
Confirm both AP and STA possess PMK
Generate fresh operational key (PTK)
Prove each peer is live
Synchronize PTK use
Another look at the layers
802.11i Key Hierarchy
Pairwise Master Key (PMK) : 256 bit Access token
Pairwise Transient Key (PTK) = 802.11i-PRF(PMK, min(AP
Nonce, STA Nonce) || max(AP nonce, STA Nonce) || min(AP
MAC Addr, STA MC Addr) || max(AP MAC Addr, STA MAC
Addr))
Key Confirmation
Key (KCK) – PTK
bits 0–127
Key Encryption
Key (KEK) – PTK
bits 128–255
Temporal Key – PTK bits 256–n – can have
cipher suite specific structure
Another look at the basic
operation
STA
AP
Association Request
Association Response
Begin filtering
non-802.1X data
MPDUs
Begin filtering
non-802.1X data
MPDUs
EAP type specific
mutual authentication
4-Way Handshake
Group Key Handshake
Allow data MPDUs
protected by pairwise,
group keys
Allow data MPDUs
protected by pairwise,
group keys
4-way handshake
STA
PMK
PMK
Pick Random ANonce
EAPOL-Key(Reply Required, Unicast, ANonce)
Pick Random SNonce, Derive PTK = 802.11i-PRF(PMK, ANonce ||
SNonce || AP MAC Addr || STA MAC Addr)
EAPOL-Key(Unicast, SNonce, MIC, STA RSN IE)
Derive PTK
EAPOL-Key(Reply Required, Install PTK,
Unicast, ANonce, MIC, AP RSN IE, GTK)
EAPOL-Key(Unicast, MIC)
Key Management
Summary
• 4-Way Handshake
o Establishes a fresh pairwise key bound to STA and
AP for this session
o Proves liveness of peers
o Demonstrates there is no man-in-the-middle
between PTK holders if there was no man-in-themiddle holding the PMK
o Synchronizes pairwise key use
• Group Key Handshake provisions group key
to all STAs
Key Management
Summary
Data Transfer Overview
• 802.11i defines 2 protocols to protect data transfer:
o TKIP : Legacy devices
o CCMP: Better security for new devices
• Why two protocols instead of one?
TKIP
• TKIP: Temporal Key Integrity Protocol
• Designed as a wrapper around WEP
oCan be implemented in software
oReuses existing WEP hardware
oRuns WEP as a sub-component
TKIP Design Challenges
• Mask WEP’s weaknesses…
o
o
o
o
Prevent data forgery
Prevent replay attacks
Prevent encryption misuse
Prevent key reuse
• On existing AP hardware
o Utilize existing WEP off-load hardware
o Software/firmware upgrade only
o Don’t unduly degrade performance
TKIP Design – Replay
Protection
Protect against replay
• reset packet sequence # to 0 on rekey
• increment sequence # by 1 on each packet
• drop any packet received out of sequence
Wireless
Station
Hdr
Packet n
Hdr
Packet n + 1
Hdr
Packet n
Access
Point
CCMP
• Mandatory to implement: the long-term
solution
• Based on AES in CCM mode
o CCM = Counter Mode Encryption with CBC-MAC
Data Origin Authenticity
o AES overhead requires new AP hardware
o AES overhead may require new STA hardware for
hand-held devices, but not PCs
• An all new protocol with few concessions to
WEP
• Protects MPDUs = fragments of 802.2 frames
Overview
Encrypted
Header
Payload
MIC
Authenticated
• Use CBC-MAC to compute a MIC on the
plaintext header, length of the plaintext
header, and the payload
• Use CTR mode to encrypt the payload
o Counter values 1, 2, 3, …
• Use CTR mode to encrypt the MIC
o Counter value 0
Operation
...
E
...
E
E
padding
B0
B1
...
Bk
0
padding
Bk+1
Header
...
Br
0
MIC
Payload
S1
A1
E
...
...
SS
mm
E
S0
A0
E
CCMP Summary
• Builds on the lessons learned from IEEE 802.11 and
IPsec packet protocol designs
o Relies on proper use of strong cryptographic primitives
• Strong security against all known attacks
• Requires new hardware
Data Transfer Summary
Cipher
Key Size
Key Life
Packet Key
Integrity
Data
Header
Replay
Key Mgmt.
WEP
RC4
40 or 104 bits
CCMP
AES
128 bits
24-bit IV, wrap
Concat.
TKIP
RC4
128 bits
encryption,
64 bit auth
48-bit IV
Mixing Fnc
CRC-32
None
None
None
Michael
Michael
Use IV
EAP-based
CCM
CCM
Use IV
EAP-based
48-bit IV
Not Needed
Download