Wireless Networks: Challenges, Threats and Solutions Shehla Rana Furquan Shaikh 1 Talk Outline • Introduction to wireless networks • How wireless is different • Misbehavior in Wireless Networks • Security Threats in Wireless Networks • IEEE 802.11 Security Tools 2 Wireless Networks • Computing and communication services, over the air, on the move • Infrastructure-based Networks • Ad hoc Networks 3 Infrastructure Mode • Single hop wireless connectivity o An Access Point is responsible to communicate with end-points in its “jurisdiction” Wired Network Wireless AP 4 Mobile Ad Hoc Networks (MANET) • • • • No access point Network formed by multiple wireless end-points Multi-hop wireless links Data must be routed via intermediate nodes • Host movement/ topology change may be frequent A B A B 5 Why Ad Hoc Networks ? • Setting up of fixed access points and backbone infrastructure is not always viable o Infrastructure may be absent/destroyed in a disaster area or war zone o Easy, fast deployment o Do not need backbone infrastructure support 6 Wireless Mesh Networks (WMN) • No Access Point • Multiple, autonomous wireless end-points relaying data for each other • Little or no mobility • Long-term applications • Weaker energy constraints 7 Wireless Sensor Networks (WSN) • A class of Ad-hoc/mesh networks • Composed of small, inexpensive, resource constrained devices • Sensing data usually directed towards a single “Sink” • Multi-hop wireless links 8 Talk Outline • Introduction to wireless networks • How is Wireless different • Misbehavior in Wireless Networks • Security Threats in Wireless Networks 9 How is wireless different? • Can we apply media access methods from fixed networks? o CSMA/CD? o Send when medium is free, listen into the medium for collision • Medium access problems in wireless networks o sender may apply CS and CD, but collisions happen at receiver o sender may not ‘hear’ the collision, i.e., CD doesn’t work o CS might not work, e.g. ‘hidden’ terminals 10 MAC: Collision Avoidance • Collision avoidance: Once channel becomes idle, wait for a randomly chosen duration before attempting to transmit • IEEE 802.11 o When transmitting, choose a backoff in range [0,cw]; o Count down backoff when medium is idle o Count-down suspended if medium becomes busy o When backoff interval reaches 0, transmit 11 Talk Outline • Introduction to wireless networks • How wireless is different • Misbehavior in Wireless Networks • Security Threats in Wireless Networks 12 Misbehavior in Wireless NWs: Outline • Misbehavior at the MAC layer o Impatient Transmitters o Solutions and Challenges • Misbehavior at the network layer o Drop, corrupt packets o Misroute packets o Solutions and Challenges 13 Possible Misbehaviors: “Impatient” Transmitters Access Point • Choose smaller Backoff • Cause collisions with other hosts’ packets Wireless channel A B • Those hosts will exponentially backoff on packet loss, giving free channel to the misbehaving host • Must diagnose and discourage! 14 Solution 1: Passive Observation • Receiver observes sender behavior. Are backoffs too short? • Challenge: Receiver does not know exact backoff value chosen by sender o Sender chooses random backoff o Hard to distinguish between maliciously chosen small values and a legitimate value o How long must receiver observe? 15 Solution 2: Rx driven Backoff • Remove the non-determinism • Receiver provides backoff values to sender o Receiver specifies backoff for next packet in ACK for current packet o Backoffs of different nodes still independent o Uncertainty of senders backoff eliminated 16 Misbehavior in Wireless NWs: Outline • Misbehavior at the MAC layer o Impatient Transmitters o Solutions and Challenges • Misbehavior at the network layer o Drop, corrupt packets o Misroute packets o Solutions and Challenges 17 Drop/Corrupt/Misroute • A node “agrees” to join a route (for instance, by forwarding route request/reply) but fails to forward packets correctly • Why: Conserve energy, overload, launch a denial-of-service attack 18 Solution: Watchdogs • Exploit broadcast nature • Verify whether a node has forwarded a packet or not B sends packet to C A B C D E 19 Watchdogs at Work • B can ‘hear’ whether C has forwarded packet or not • B can also know whether packet is tampered with if no per-link encryption B overhears C Forwarding the packet A B C forwards packet to D C D E 20 Watchdog At Work • Forwarding by C may not be immediate: B must buffer packets, and compare them with overheard packets • If packet stays in buffer at B too long, a “failure tally” for node C is incremented • If the failure rate is above a threshold, C is determined as misbehaving, and source node informed 21 Watchdog Approach: Challenges • Impact of Collisions • If A transmits while C is forwarding to D, B will not know C forwards packet to D A B C D E 22 Watchdog Approach: Challenges • Reliability of Reception Not Known • Even if B sees the transmission from C, it cannot always tell whether D received the packet reliably Misbehaving C may reduce power such that B can receive from C, but D does not C forwards packet to D A B C D E 23 Watchdog Approach: Challenges • Misdirection of Packets • C forwards packets, but to the wrong node! • With DSR, B knows the next hop after C, so this misbehavior may be detected • With other hop-by-hop forwarding protocols, B cannot detect this A B C D E F 24 Solution 2: Exploiting Path Redundancy • Design routing algorithms that can deliver data despite misbehaving nodes • “Tolerate” misbehavior by using disjoint routes • Prefer routes that deliver packets at a higher “delivery ratio” 25 Best-Effort Fault Tolerant Routing (BFTR) • The target of a route discovery is required to send multiple route replies (RREP) o The source can discover multiple routes (all are deemed feasible initially) 1. Source chooses a feasible route based on the “shortest path”metric 2. Source uses this route until its delivery ratio falls below a threshold (making the route infeasible) 3. If existing route is deemed infeasible, go to (1) 26 BFTR: Issues • A route may look infeasible due to temporary overload on that route • The source may settle on a poorer (but feasible) route • No direct mechanism to differentiate misbehavior from lower capacity routes 27 Solution 3: Micropayments • • • • Provide incentive for relaying packets A trusted third party: Accounting center Three phases: Communication: o Source/dest issue payment receipts to intermediate nodes • Receipt Submission: o Relays claim their payments • Payment Redemption: o AC processes the receipts and issues payment 28 Route Tampering Attack • A node may make a route appear too long or too short by tampering with RREQ • By making a route appear too long, the node may avoid the route from being used o This would happen if the destination replies to multiple RREQ • By making a route appear too short, the node may make the source use that route, and then drop data packets (denial of service) 29 Wormhole Attack • Attacker makes a wireless ‘link’ appear in the network when there isn’t one • Not necessarily detrimental, since the additional link can improve performance • Attacker assumes control on the fate of the traffic o May analyze traffic o Collect traffic for breaking encryption 30 Wormhole Attack • Host X can forward packets from F and E unaltered • Hosts F and E will seem ”adjacent” to each other • The fact that AFE really is AFXE will not be detected E F A B X C D 31 Solution: Packet Leashes • Additional information added to packets to restrict maximum transmission distance of a packet • Geographical leashes o RX checks distance from the sender o Signature to authenticate sender location, timestamp o Distance too large, reject the packet • Temporal Leashes o Sender timestamps the packet, and receiver determines the delay since the packet was sent o If delay too large, reject the packet o Sender cannot know MAC delays 32 Wireless Misbehavior: Summary • Hosts may be misbehave or try to compromise security at all layers of the protocol stack • MAC Layer o Disobey protocol specifications for selfish gains o Denial-of-service attacks • Network Layer o Disrupt route discovery/maintenance o Force use of poor routes (e.g., long routes) o Delay, drop, corrupt, misroute packets 33 Talk Outline • Introduction to wireless networks • How wireless is different • Misbehavior in Wireless Networks • Security Threats in Wireless Networks 34 Wireless Security Vulnerabilities • • • • • • • • • Traffic Analysis Passive Eavesdropping Unauthorized Access Man-in-the-middle Session Hijacking Replay Attack Rogue AP DoS Attacks Pollution Attacks 35 Traffic Analysis • Need: o A wireless card in promiscuous listening mode • Threats: o Detect activity on the network o Using AoA, get physical location of transmitter o Type of protocols under use 36 Passive Eavesdropping • No physical security protects against this! City of London - WLAN Traffic Surveyed 350 Unencrypted Encrypted (WEP) 300 250 # of Access Points • More than 50% APs use no encryption • Attacker can get: Actual data Source, destination, timing of packets 200 150 100 50 0 2001 2002 37 www.rsa.com/rsalabs/.../kaliski-wireless-security-wwc-2003.ppt Man-in-the-middle Attack • Real-time attack • Read/modify data in transit o Violate integrity 38 Session Hijacking • Attacker takes an authenticated session • Target assumes its session is broken/lost • Attacker can use the session for anything, for any amount of time • Real time attack • Integrity of session 39 Session Hijacking Wired Network Target Attacker Target Wired Network 40 Replay • Similar to session hijacking except timing! Wired Network Target Attacker Wired Network Target Attacker 41 Summary • Introduction to wireless networks • How wireless is different • Misbehavior in Wireless Networks • Security Threats in Wireless Networks 42 WEP Introduction to WEP • Original security protocol for IEEE 802.11 standard • Wired Equivalent Privacy – Create the “privacy achieved by a wired network” • Considered as secure as a wired network • Primary Goal: Protect the confidentiality of user data from eavesdropping • Based on RC4 algorithm, which is a symmetric key stream cipher WEP - Secret Key • Relies on a secret key that is shared between a mobile station and an access point • Encrypt packets before they are transmitted, and an integrity check to ensure that packets are not modified during transition • Same key shared between all mobile stations and an access point in a network WEP - Authentication Authenticate (request) STA Authenticate (challenge) Authenticate (response) Authenticate (success) AP Stream Cipher Operation Electronic Code Book Mode Initialization Vectors (IV) • Used to alter the key stream • Numeric value that is concatenated to the base key before the key stream is generated • Every time IV changes, so does the key stream • 802.11 standard recommends that IV change on a per-frame basis • If same packet is transmitted twice, the resulting cipher-text will be different for each transmission Encryption with IV WEP Encryption Message • Checksum – uses CRC32 • Encryption – uses RC4 • Transmission – ciphertext appended with IV CRC XOR Keystream = RC4(IV,k) IV Ciphertext WEP Decryption IV Ciphertext XOR Keystream = RC4(IV,k) Message CRC Goals of Security • • • • • Authentication Access control Replay Protection Message modification detection Message privacy 1) Authentication • It is one party proving to other that he/she really is who they claim to be. • Requirements: (1) (2) (3) (4) Robust method of proving identity that cannot be spoofed Method of preserving identity over subsequent transactions that cannot be transferred Mutual authentication Authentication keys independent from encryption keys How rule 1 fails? • P XOR K = C STA • C XOR P = K AP Bad STA 2) Access Control • Process of allowing or denying a mobile device to communicate with the network • IEEE 802.11 does not define any access control mechanism • APs might use a list of acceptable MAC addresses • Problem? MAC address can be easily spoofed • Last line of defense? On receiving an IV error, deny access to that station 3) Replay Detection • Legitimate user actions captured by an attacker • Attacker replays the message ( login response message spoofing the MAC address ) • WEP should allow only one copy of a message to be accepted EVER • No protection whatsoever in WEP Replay Attack Good guy STA Authorized WEP communications Eavesdrop and record Good guy AP Play back selections Bad guy (STA or AP) 4) Message modification • To prevent tampering, WEP includes a check field called integrity check value(ICV). • Problem? CRC method used to compute the ICV is called a linear method • Thus, C (M XOR M’) = C(M) XOR C(M’) • Possible to predict what bits in ICV change on changing a bit in data Message modification • Let the message-CRC pair be <M, C(M)> • The corresponding ciphertext would be: Ciph(M) = <M,C(M)> XOR K = K XOR <M,C(M)> • Suppose we want to change M by d: Ciph(M) XOR <d,C(d)> = K XOR <M,C(M)> XOR <d,C(d)> = K XOR <M XOR d, C(M XOR d)> = K XOR <M’, C(M’)> = Ciph (M’) 5) Privacy • Weaknesses in the way RC4 is used in WEP: 1) 2) IV Reuse Weak RC4 keys Key Reuse • Encrypting two messages with same IV and key can reveal information about both messages: C1 = P1 XOR RC4(IV,k) C2 = P2 XOR RC4(IV,k) C1 XOR C2 = P1 XOR P2 Key Reuse - Problems • XORing the two ciphertexts causes the keystream to cancel out. • If one plaintext is known, other can be easily calculated • Real-world plaintexts have enough redundancy so that one can recover both P1 and P2 • Known techniques for solving such plaintext XORs by looking for two English texts that XOR to given value P1 XOR P2 How WEP deals with this? • Use a different IV for every packet that is transmitted • Problem? o IV is sent in plaintext form along with the transmitted packet o Attacker knows the IV as well Possible Attack Key rarely changes. IV size is 24 bits. Reuse of IV causes reuse of RC4 keystream Since IV is public, duplicate IVs can be easily detected by the attacker • Over a period of time, attacker can collect IVs and corresponding ciphertexts • • • • RC4 Weak Keys • RC4 has weak keys – Greatly aids crypto analysis – There are standard techniques to avoid the weak keys but WEP does not use these techniques. • Airsnort and Wepcrack tools leverage weak keys IEEE 802.11i Introduction to 802.11i • Addendum to the base standard that specifies new generation of security • Defines a new type of wireless network called Robust Security Network(RSN) Goals • Replace WEP by protocol that properly uses encryption • Add proper authentication • Add data authenticity and integrity • Tie data link keys to authentication • Manufacture “fresh” keys Security Service Dependencies Authentication Authorization Data Integrity Data Confidentiality 802.11i Architecture Data 802.1X Controlled Port Data Link 802.1X Authenticator/Supplicant 802.1X Uncontrolled Port MAC_SAP WEP/TKIP/CCMP MAC Physical PHY PMD TK 802.11i State Machines PTK PRF(PMK) (PTK = KCK | KEK | TK) Station Management Entity Operation Station Authentication Server Access Point Security capabilities discovery Security negotiation 802.1X authentication 802.1X key management RADIUS-based key distribution Data protection 72 Discovery phase • Determine promising parties with whom to communicate • AP advertises network security capabilities to STA via beacon and probe response o SSID in Beacon, Probe provides hint for right authentication credentials • Performance optimization only; no security value o RSN Information Element advertises • All enabled authentication suites • All enabled unicast cipher suites • Multicast cipher suite • STA selects authentication suite and unicast cipher suite in Association Request 802.1x Authentication • STA determines whether it indeed does need to communicate • Mutually authenticate STA and AS • Generate master key as a side effect of authentication • Use master keys to generate session keys = authorization token Discovery and Authentication Station Probe Request Probe Response + RSN IE (AP supports CCMP Mcast, CCMP Ucast, 802.1X Auth) 802.11 Open System Auth 802.11 Open Auth (success) Association Req + RSN IE (STA requests CCMP Mcast, CCMP Ucast, 802.1X Auth) Association Response (success) Access Point RADIUS phase • AS moves session key(PMK) to STAs AP 802.1x Key Management • • • • • Bind PMK to STA and AP Confirm both AP and STA possess PMK Generate fresh operational key (PTK) Prove each peer is live Synchronize PTK use Another look at the layers 802.11i Key Hierarchy Pairwise Master Key (PMK) : 256 bit Access token Pairwise Transient Key (PTK) = 802.11i-PRF(PMK, min(AP Nonce, STA Nonce) || max(AP nonce, STA Nonce) || min(AP MAC Addr, STA MC Addr) || max(AP MAC Addr, STA MAC Addr)) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have cipher suite specific structure Another look at the basic operation STA AP Association Request Association Response Begin filtering non-802.1X data MPDUs Begin filtering non-802.1X data MPDUs EAP type specific mutual authentication 4-Way Handshake Group Key Handshake Allow data MPDUs protected by pairwise, group keys Allow data MPDUs protected by pairwise, group keys 4-way handshake STA PMK PMK Pick Random ANonce EAPOL-Key(Reply Required, Unicast, ANonce) Pick Random SNonce, Derive PTK = 802.11i-PRF(PMK, ANonce || SNonce || AP MAC Addr || STA MAC Addr) EAPOL-Key(Unicast, SNonce, MIC, STA RSN IE) Derive PTK EAPOL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE, GTK) EAPOL-Key(Unicast, MIC) Key Management Summary • 4-Way Handshake o Establishes a fresh pairwise key bound to STA and AP for this session o Proves liveness of peers o Demonstrates there is no man-in-the-middle between PTK holders if there was no man-in-themiddle holding the PMK o Synchronizes pairwise key use • Group Key Handshake provisions group key to all STAs Key Management Summary Data Transfer Overview • 802.11i defines 2 protocols to protect data transfer: o TKIP : Legacy devices o CCMP: Better security for new devices • Why two protocols instead of one? TKIP • TKIP: Temporal Key Integrity Protocol • Designed as a wrapper around WEP oCan be implemented in software oReuses existing WEP hardware oRuns WEP as a sub-component TKIP Design Challenges • Mask WEP’s weaknesses… o o o o Prevent data forgery Prevent replay attacks Prevent encryption misuse Prevent key reuse • On existing AP hardware o Utilize existing WEP off-load hardware o Software/firmware upgrade only o Don’t unduly degrade performance TKIP Design – Replay Protection Protect against replay • reset packet sequence # to 0 on rekey • increment sequence # by 1 on each packet • drop any packet received out of sequence Wireless Station Hdr Packet n Hdr Packet n + 1 Hdr Packet n Access Point CCMP • Mandatory to implement: the long-term solution • Based on AES in CCM mode o CCM = Counter Mode Encryption with CBC-MAC Data Origin Authenticity o AES overhead requires new AP hardware o AES overhead may require new STA hardware for hand-held devices, but not PCs • An all new protocol with few concessions to WEP • Protects MPDUs = fragments of 802.2 frames Overview Encrypted Header Payload MIC Authenticated • Use CBC-MAC to compute a MIC on the plaintext header, length of the plaintext header, and the payload • Use CTR mode to encrypt the payload o Counter values 1, 2, 3, … • Use CTR mode to encrypt the MIC o Counter value 0 Operation ... E ... E E padding B0 B1 ... Bk 0 padding Bk+1 Header ... Br 0 MIC Payload S1 A1 E ... ... SS mm E S0 A0 E CCMP Summary • Builds on the lessons learned from IEEE 802.11 and IPsec packet protocol designs o Relies on proper use of strong cryptographic primitives • Strong security against all known attacks • Requires new hardware Data Transfer Summary Cipher Key Size Key Life Packet Key Integrity Data Header Replay Key Mgmt. WEP RC4 40 or 104 bits CCMP AES 128 bits 24-bit IV, wrap Concat. TKIP RC4 128 bits encryption, 64 bit auth 48-bit IV Mixing Fnc CRC-32 None None None Michael Michael Use IV EAP-based CCM CCM Use IV EAP-based 48-bit IV Not Needed