A Methodology for Evaluating Wireless Network Security Protocols Presented on: December 10, 2004 David Rager and Kandaraj Piamrat CS386M: Communication Networks - Fall 2004 David Rager Kandaraj Piamrat CS386M Fall 2004 Table of Content 1. Introduction 3 2. Explanation of Terms 4 3. Methodology 6 a. b. c. d. e. f. g. h. Authentication capability Encryption strength Integrity guarantees Prevention of attacks Identity prevention Ease and cost of implementation Power consumption Novel idea 4. Analysis of Protocols a. b. c. d. WEP WPA RSN VPN 7 8 9 10 12 13 14 15 16 16 19 21 23 5. Conclusion 24 6. References 25 7. Appendix 27 a. Comparison of categorical performance b. Main contributors to each protocol’s success c. Derivation of points in concrete form 27 27 28 2 David Rager Kandaraj Piamrat CS386M Fall 2004 Introduction Wireless networks have been deployed everywhere in today’s internet, causing all to think about its security. Unfortunately wireless networks have a lot of properties that attackers can use to mount an attack. These properties are for example, dynamicity (wireless network are mobile so they change the topology more frequently than a wired one), power constraints (mobile nodes are constrained in power consumption by their batteries), and finally agent-based properties (wireless networks usually use agents such as caches and proxies to enhance their performance). Wireless network security has two wide approaches. The first one can be called “first line of defense” [7], which include prevention mechanisms such as authentication, authorization, and encryption. The second line of defense is the intrusion detection and response approach used to detect the attack or to respond after an attack occurs. In this paper, we consider the first line of defense. While significant progress has already been made on fixing the problems with the current line of defense, there is no clear metric methodology for evaluating the efficacy of new protocols. We will categorize the different security requirements of a protocol, such as authentication capability, encryption strength, integrity guarantees, protection of identity, and the ease and cost of implementation. After enumerating how we can measure a protocol by these properties, we will analyze WEP, WPA, and the complete 802.11i in terms of these measurements. 3 David Rager Kandaraj Piamrat CS386M Fall 2004 Explanation of Terms[17] RC4 is a symmetric stream cipher with an arbitrary key size. It is used in many applications such as WEP, TLS, and TKIP. It is not patented but it is a trade secret of RSA security. There used to also exist an exportable variant of RC4 which utilizes a 40-bit key, which is vulnerable to a brute force attack. EAP (Extensible Authentication Protocol) [rfc2284] is a general protocol for PPP authentication that supports multiple authentication mechanisms. It provides an infrastructure that enables clients to authenticate via a central authentication server. EAP does not select a specific authentication mechanism at the link control phase but rather postpones this until the authentication phase; this enables the authenticator to request more information before determining the specific authentication mechanism to use. 802.11X is an IEEE standard for EAP encapsulation in wired and wireless network. It defines three roles: the supplicant (user or client requesting authentication), the authentication server (the server providing authentication), and the authenticator (the device which the supplicant requests access to and that requests access from the authentication server - usually the Wireless Access Point). TKIP (Temporal Key Integrity Protocol) uses an RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication. It has a per-packet key mixing function to decorrelate the public initialization vectors (IV) from weak keys and also has a rekeying mechanism to provide fresh encryption and integrity keys. As a result, it is resistant to cryptographic attacks based on key reuse. AES (Advanced Encryption Standard) is a symmetric cipher which is faster than asymmetric ciphers, but its requirements for key exchange makes it difficult to use. It also requires more hardware on the network card than exists on current day devices. ICV (Integrity Check Value) is a checksum capable of detecting modification of an information system. MIC (Message Integrity Check) is part of the 802.11i standard. It is an additional 8 byte field placed between the data portion of an 802.11 frame and the 4 byte ICV (Integrity Check Value). In fact, MIC is very similar to the older ICV, but instead of guaranteeing only the packet payload, it also protects the header. The algorithm that implements MIC is known as Michael, and it also implements a frame counter, which discourages replay attacks. CCMP (Counter mode with Cipher block Chaining Message authentication code Protocol) is the integrity mechanism in the 802.11i standard. It is based on the CCM mode of the AES encryption algorithm. It uses 128-bit keys, with a 48-bit initialization vector for replay avoidance. It has two components. The first is Counter Mode (CM) which provides data privacy, and the second is Cipher Block Chaining Message Authentication Code (CBC-MAC) which provides data integrity and authentication. CCMP is mandatory for anyone implementing RSN 4 David Rager Kandaraj Piamrat CS386M Fall 2004 (Robust Secure Network). CCMP has some disadvantage since it cannot be used with a machine that does not have enough CPU power. RADIUS (Remote Authentication Dial In User Service) is a protocol for remote user authentication and accountability. It enables centralized management of authentication data, such as usernames and passwords. It utilizes the MD5 algorithm for secure password hashing. Communications between the client and server are authenticated and encrypted using a shared secret which is not transmitted over the network. The RADIUS server is an excellent choice for keeping track of every user’s access, because it is a centralized authentication server. The disadvantage is that since everything is in the RADIUS server, if it is compromised, the attacker obtains everything. IV (Initialization Vector) is a block of bits that is combined with the first block of data in any of several modes of a block cipher. In some cryptosystems, it is random and is sent with the cipher text. Handshaking in data communication is a sequence of events governed by hardware or software, requiring mutual agreement of the state of the operational mode before information exchange. An n-way handshake uses n messages to establish the connection. Per-Packet Key Mixing is a function used in a per-packet encryption key. It takes the base key, transmitter MAC address, and packet sequence number as inputs and outputs a new per-packet WEP key. 5 David Rager Kandaraj Piamrat CS386M Fall 2004 Methodology In this paper, we considered four main approaches which are cited in chronological order as the following: WEP, WPA, 802.11i / RSN, and VPN. The first three approaches are derived chronologically from each other. This means that the more recent approach tries to solve the problem found in the earlier ones. In this paper we look through all the approaches to see techniques that they use for security and then evaluate these techniques separately from the approaches. At the end of the evaluation we will be able to measure the performance of each approach depending on the purpose of the network. In order to evaluate each approach, we need to define metrics that we are going to use. Therefore we decide to use the following metrics: 6 David Rager Kandaraj Piamrat CS386M Fall 2004 Authentication Capability When a user wants to use the network, the network devices decide how much authentication is required to allow a new user on the network. A protocol can be trivially setup to allow anyone anonymously on the network, protecting the identity of a client. A protocol can perform authentication via challenge response messages, requiring knowledge of a group key. A protocol may require the hardware of the user to meet certain specifications (like a MAC address). Finally, a protocol may authenticate a user based upon his/her own credentials, perhaps through a password verified via an internal server. The authentication protocol must not be prone to man in the middle attacks and all exchanged passwords must be securely transmitted. Also, in the event that an intruder can capture an authentication server, the greater the redundancy between servers and synchronized decisions between them, the better. Creating a Byzantine agreement protocol is complex computationally and expensive in terms of network efficiency, so points should be removed under ease of use via number of messages exchanged. It can be seen that in order to be efficient in authentication, we should consider several parameters. Table 1 explains what should be considered: Consideration Type of authentication 0(bad) Key with challenge response Number of authentication servers Use of new authentication mechanisms Known MITM attacks One 1(fair) Key with challenge response and MAC address Three None - One or more - 2(good) Credentials based (# faults permitted) * 3+1 Use of EAP (802.11X)[17] None Table 1: Authentication capability 7 David Rager Kandaraj Piamrat CS386M Fall 2004 Encryption Strength A good protocol must choose an encryption scheme that is secure under a probabilistic polynomial time model. Additionally, the protocol must apply the encryption scheme in a way that does not open a good encryption scheme to vulnerability. A good protocol should have a key management mechanism so the user will not have to worry about the manually generating and installing new keys. In order to have that good protocol, we consider the different parameters below: Consideration Key type Cipher key type Cipher key length 0(bad) Static key RC4 40 or 104 bit encryption 1(fair) 128 bit encryption Key lifetime Time used to crack Encrypted packet needed to crack Can be recovered by cryptanalysis Key management used 24-bit IV Few hours Few millions 48-bit IV Few days - 2(good) Dynamic key AES 128 bit encryption + 64 bit authentication 48-bit IV Centuries Few billions Yes - No None Static EAP Table 2: Encryption Strength 8 David Rager Kandaraj Piamrat CS386M Fall 2004 Integrity Guarantees Giving a recipient a means to check a message’s integrity is a well known step for preventing message tampering. A good integrity scheme will compute a hash involving each bit in the message. This hash will be a one-way hash, such that the message can not be reverse engineered and changing a bit in the message should result in a large change in the hash value. If a hash function that does not meet these requirements is used, then the integrity value should be transmitted under encryption of a fresh or well-protected key. Therefore, it may be good to use a public/private key scheme to communicate the integrity value securely. In order to ensure integrity, we should guarantee two things: integrity of the message header and integrity of the data itself. For example, it is known that the use of the CRC checksum called Integrity check value is not secure and the packet can be intercepted. So a good protocol will not use this mechanism. On the other hand, CCM is a long term solution and it should be deployed when possible. Consideration Integrity of message header Integrity of the data 0(bad) None 1(fair) Michael 2(good) CCM[4] CRC-32 Michael CCM Table 3: Integrity Guarantees 9 David Rager Kandaraj Piamrat CS386M Fall 2004 Prevention of Attacks When a key is discovered by attackers, it is important that the discovered key is rotated out soon. Therefore, a protocol that provides a fresh key frequently is more secure than a protocol that uses the same key until user intervention. Additionally, the next key derived should be independent of all previous keys, satisfying a requirement called “forward secrecy.” Replay attacks A replay attack involves two users communicating and a third one later using one of the messages communicated to gain some advantage he would not have otherwise. A good example is supposing Alice and Bob are communicating, and Eve is listening. Alice needs to authenticate herself to Bob, so Alice sends Bob an encrypted version of her password. Later, Eve can pose as Alice, because when Bob asks for Alice’s password, all Eve needs to do is replay the message she captured earlier. Bob will accept that authentication and will begin communicating with Eve assuming that Eve is actually Alice. Thus Eve will have access to all the same information that Alice does, perhaps even the ability to change her password. Once included, prevention of a replay attack is actually quite simple. Bob will send Alice a fresh nonce, a newly generated random number, to act as a session identifier. Alice appends this nonce to the password, and then encrypts. Since each message to encrypt is now different, because each session will have a different nonce, the encrypted version of the password can not be replayed. If Eve tries to act as Alice, she will receive a new nonce from the server, and since Eve does not know the encryption key, she will be unable to create a new password message. It is interesting to note that the nonce is transmitted in the clear. So long as Bob sends a fresh nonce whenever a new session or IP address is encountered, the actor posing as Alice will always have to know the key to fake an encryption. We say a protocol is secure from a replay attack if it provides a sense of freshness for each packet, which would keep an intruder from replaying that packet. The use of an initialization vector is a start towards this, but the space must be large enough such that collisions are rare. DoS Denial of Service (DoS) takes on many meanings. At its core, DoS attacks involve preventing a client from receiving a service from the network that it would be able to receive under more friendly conditions. In wireless security, DoS attacks have various forms. As briefly explained in the survey paper and more completely explained in Bellardo and Savage’s work, it is possible to deny a client service to an access point by sending a small 30 messages per second on the link layer. It is also possible to deny wireless networks service by jamming the relevant frequencies, an exploitation of the physical layer. It is also possible for another client to pose as a wireless station, confusing other wireless clients and effectively denying them service. This exploit involves acting as a 10 David Rager Kandaraj Piamrat CS386M Fall 2004 DHCP server and Internet gateway and is hence a layer three attack. A good protocol is robust from attack on all layers used. One well-known method for preventing some DoS attacks is to use a “cookie.” A cookie usually contains a hash under a personal key of the source address of the initiator, any session identifiers, and something that the responder knows and can remember across many sessions without setting up state for a specific session. A cookie is usually involved in at least a four-way handshake and works like this: 1. Initiator sends a request to the responder to have a session 2. Responder sends back an acknowledgement and a cookie 3. If the initiator sent with the correct source IP address in step one, he will receive part two and can reply with the cookie and setup the session 4. If the responder receives the correct cookie, he will also setup the session. So, the cookie works, because the responder will not initiate state until he has verified the source address of the initiator. Since many DoS attacks rely upon spoofing a source address, this is a reasonably effective method for prevention. Consideration Replay attack prevention DoS cookie Number of known attacks prevented 0(bad) None 1(fair) - No None Some of them 2(good) IV sequence , Perpacket key mixing Yes All of them Table 4: Prevention of attacks 11 David Rager Kandaraj Piamrat CS386M Fall 2004 Identity Protection A good protocol is one that only reveals identity to the intended parties. Preservation of identity keeps attackers from narrowing their search for a given user’s information. At some point, identity or group identity must be communicated if authentication is to make progress. A protocol which reveals identities in plain-text has the worst identity protection, while a protocol that reveals identity under a strong form of encryption with a fresh key has the best type of identity protection. It is also better to use a basic form of authentication like source IP address validation before revealing identity. Consideration Group identity revealed to Specific identity revealed to 0(bad) Entire network 1(fair) All parties 2(good) Specific parties Entire network All parties Specific parties Table 5: Identity protection 12 David Rager Kandaraj Piamrat CS386M Fall 2004 Ease and Cost of Implementation Since the computational costs of setting up an anonymous connection are close to none, we will use this as the highest standard. The “ease” of implementation is a subjective measure, which requires some knowledge of technology already in existence. One concrete measure of a protocol could be the number of gates it would require in a client’s hardware device. Another concrete measure could be the number of lines of code required to implement it. The complexity of the protocol can also be measured by the number of actors involved and the number of messages exchanged. The network utilization efficiency can be measured by the number of handshakes and parties involved in establishing a user’s identity. In other words, if a protocol requires four parties to authenticate a user instead of three but establishes identity to the same degree of security the protocol requiring four parties is less efficient. A new protocol should be relatively easy to deploy, in that it does not require a complete overhaul of a network to function. We currently do not know of a protocol that can not be implemented completely incrementally, but we can imagine that such a protocol could be created. Consideration Computation cost Incremental installation Number of messages exchanged Number of actors involved Packet key Additional server hardware Additional network infrastructure Number of gates in client device Lines of Code 0(bad) High No 1(fair) Medium - 2(good) Low Yes 300 30 3 Many actors - Few actors Mixing function Yes Concatenated - No need No Yes - No High - Low High - Low Table 6: Ease and cost of implementation 13 David Rager Kandaraj Piamrat CS386M Fall 2004 Power Consumption Most devices that use wireless connections run from a battery-powered power source. As a result, it is only fair to include power consumption in our evaluation of wireless protocols. Power consumption is best measured in a relative manner between protocols. For example, a protocol which uses AES will use more power than one that uses RC4. Additionally, when a client receives attack-like behavior, it would be good for a protocol to specify a means to detect the attack and conserve power. This is especially important for networks that are seldom recharged, like sensor networks. A wireless protocol evaluation methodology would be incomplete without considering power. It should be noted that implementing AES in hardware instead of running it from ROM software cuts the power cost significantly [5]. Consideration Clients use low power Client can detect attacks and enter lowpower mode 0(bad) No No 1(fair) - 2(good) Yes Yes Table 7: Power consumption 14 David Rager Kandaraj Piamrat CS386M Fall 2004 Novel Ideas In this section we aim to include an idea that is currently unincorporated into wireless network security protocols. Additionally, we want to leave some room for rewarding ideas no one has thought of yet. This flexibility will be important for measuring new protocols. A protocol that could tell whether a client is inside a given physical boundary could keep intruders external to a corporation at bay. Perhaps we could accomplish this by some form of signal triangulation, where a client registers with different wireless access points, and the strength of his signal is measured at each access point. Each access point would experience different levels of signal interference, as the signal would travel around monitors, but perhaps this can be overcome by having more than three observation points and some tricky mathematics. Regardless, the ability to tell the physical location of a wireless client could be useful. Consideration Determines physical location 0(bad) No 1(fair) - 2(good) Yes 15 David Rager Kandaraj Piamrat CS386M Fall 2004 Analysis of Protocols WEP (Wired Equivalent Privacy) WEP is an encryption algorithm that is a part of the 802.11b standards. It was designed to be as secure as a wired LAN. But it seems that WEP has a lot of flaws and is prone to many attacks. Some examples are: passive attacks to decrypt traffic based on statistical analysis, active attacks to inject new traffic from unauthorized mobile stations based on known plain text, active attacks to decrypt traffic based on tricking the access point, and a dictionary-building attack that after analysis of about a day’s worth of traffic allows real time automated decryption of traffic. Summary of techniques used in WEP Challenge response authentication mechanism – Shared Key Authentication 2 party, 3 way handshake RC4 Symmetric key cipher encryption algorithm Single static preshared 40/104 bit key Initialization vector for creating freshness of encryption key Self-synchronizing [15] Packet integrity check Analysis WEP will be the weakest of the protocols we analyze, because it is the oldest and has the largest number of known attacks. It earns an average score of 30.6%. Authentication: (0/8) WEP has a keyed challenge response mechanism for authentication, where the client requests a challenge message to encrypt from the server, and if the client sends back a valid encryption of that message under the shared key, that client is considered authenticated. Additionally, WEP only uses one “server”, the access point itself, to authenticate a client. None of the newer EAPbased authentication mechanisms are used in WEP, and there are known MITM attacks, where a client can pose as a server. These problems earn WEP a score of 0 for authentication. Encryption Strength: (0/16) WEP uses a static key shared amongst all users for a given wireless network identifier. While a server can rotate the key chosen, there are still only three other choices. WEP uses the wellknown and accepted cipher RC4 to encrypt data in linear time. Unfortunately, WEP uses this solid encryption scheme in a way that makes RC4 vulnerable to attack and thus RC4 is not a benefit, but a liability. The 40 bit version of WEP is relatively weak when compared to the 104 bit version and other 128 bit keys in other protocols. The 40 bit version existed to meet exportation laws. Since those have been repealed, a key so short seems only applicable to 16 David Rager Kandaraj Piamrat CS386M Fall 2004 personal use where security is not an issue. If we were to consider personal finances private, however, the 40 bit key is not enough. Throughout WEP’s lifetime, many have discovered its 24 bit initialization vector (IV) to be a weakness. With a space of 224 and the IV being sent in the clear, collisions occur too often to be of statistically secure significance. These collisions, combined with a short key on a high-traffic network can yield a key that takes only a few hours to crack. This cracking can be done with as little as four million packets. Finally, the ability to automatically revoke a key from the network via a management interface is not built-in to WEP. Failing all of these conditions, WEP earns a score of 0 when it comes to encryption strength. Integrity Guarantees: (0/4) WEP uses a simple checksum to guarantee the integrity of the data itself and does nothing to guarantee the header, so it earns a score of 0. Prevention of Attacks: (0/6) There are many attacks for WEP. As previously mentioned, WEP has attacks on all the network layers it uses. For details of other types of attacks please see Your Wireless Network Has No Clothes and Intercepting Mobile Communications: The Insecurity of 802.11. As simple as WEP is, it still has a DoS weakness in its normal operation. The basic challenge response authentication mechanism requires the server to remember what challenge message it sent the client. Otherwise the client could lie about what challenge message it received and commit a replay attack, reusing a previous challenge response dialogue it witnessed earlier. WEP could have avoided this DoS by giving the client a signature of the challenge message under its own private key to return along with a copy of the challenge message and the clients encryption. However, WEP specifies no use of a cookie. Finally, while WEP has a notion of fresh encryption for each packet by using IVs, it uses the small space of 2^24. So as WEP is, it receives a score of 0 for prevention of attacks. Identity Protection: (4/4) WEP performs quite well when it comes to identity protection. The only identity revealed is its association with a group that knows the key to the wireless station. Ease and Cost of Implementation: (17/18) WEP consists of two simple security mechanisms: an authentication phase and a communication under encryption phase. Both of these phases are remarkably simple. Authentication occurs with a simple challenge response exchange. Encryption occurs with an XOR which is linear in time relative to the length of the message. The computational cost of doing an XOR is quite low when compared to other encryption standards like AES. The number of actors needed to coordinate authentication and encryption are just the client and access point. Since WEP is already a mainstream product, products that support WEP versus no encryption are equally cheap. In sum, WEP is a great protocol when we examine just the cost in hardware, so we award it a (17/18) in this area. 17 David Rager Kandaraj Piamrat CS386M Fall 2004 Power Consumption: (2/4) In general, WEP does not consume much power. This is mainly due to the computational simplicity of the encryption scheme, but it can also be credited to the sleep mode standard with most implementations. Since WEP does not have a method for detecting attacks and automatically sleeping for awhile, it receives only a score of (2/4). Novel Ideas: (0/2) WEP neither provides a way to determine physical location nor provides something creative of its own. So, while WEP was the first approach at a wireless security protocol, something novel in and of itself, that novelty does not translate to measurable merits. As a result, WEP receives a score of 0 in this area. 18 David Rager Kandaraj Piamrat CS386M Fall 2004 WPA (Wi-Fi Protected Access) WPA is basically a corrected version of WEP with additional mechanisms to improve security and performance. There are two modes of WPA (Enterprise mode and Pre-Shared Key mode). Since the pre-shared key mode is quite similar to WEP, we will consider the enterprise mode which is more secure and has additional mechanisms. Note that the enterprise mode is not used in a home wireless network because it requires a RADIUS server which is too expensive for the home user. Summary of techniques used in WPA 3 party, multi way handshake RC4 (note that some vendors also implement WPA2 which uses AES instead of RC4) 128 bit keys Temporal Key Integrity Protocol (TKIP)– fresh key 802.1X dynamically assigns and distributes keys per session/user/packet, it is the standard for Extensible Authentication Protocol (EAP) Packet Integrity Check (MIC) that protect the header as well as the payload Analysis of WPA Given the mistakes of WEP to learn from, WPA is a much more solid protocol and earns an overall score of 41.5%. Authentication Capability: (6/8) WPA employs a complex authentication mechanism. WPA authentication involves four parties: the client, the access point, a RADIUS authentication server, and a certificate authority. WPA allows four to five main variants of an Extensible Authentication Protocol (EAP). Included in this list are LEAP, EAP-TLS, EAP-TTLS, and PEAP. The differences between each of these protocols can be found in the IBM presentation Securing a Wireless LAN. In short, they always involve server certificates for verifying server identity and helping derive the key. The client can be authenticated using legacy methods like CHAP or more modern methods like EAP-MD5. There are no known MITM attacks for WPA, and while it is credentials based system, it uses only one authentication server, so we give it a score of (6/8). Encryption Strength: (14/16) The encryption scheme employed by WPA is still RC4. However, WPA uses RC4 in a way that allows it to maintain its strength. For starters, the initialization vector is twice as long at 48 bits, and the key length is a standard 128 bits. Additionally, WPA has a built-in mechanism for providing fresh keys to clients. Every time a client authenticates, it and the server derive a new pair-wise key. While WEP had a later modification to allow a rotation of keys, called TKIP, WPA signifies the completion of this idea, in that it provides a fresh key every time. The larger space of IVs (2^48) ensures that there will be less collisions for the time that one key is used, and 19 David Rager Kandaraj Piamrat CS386M Fall 2004 that trillions, not millions of packets must be collected before cryptanalysis can be done. One potential future vulnerability could be in how a server and client compute a fresh key. Each key should be perfectly independent of the previously derived key. WPA still uses the older encryption scheme RC4 to maintain backwards compatibility with older hardware. A stronger encryption scheme is still desired, so we give WPA a score of (14/16). Integrity Guarantees: (2/4) WPA uses the integrity method called Michael (MIC). MIC is described under Explanation of Terms. Our methodology could not be clearer, in that MIC is a technique more complex than a checksum, but still simpler than other signature methods. So, it earns a score of (2/4). Prevention of Attacks: (4/6) WPA uses per packet 48-bit IVs that provide good prevention of replay attacks. There is no cookie, so WPA is still vulnerable to DoS, and now there are more parties to deny service – the access point and the RADIUS server. There are no known attacks on WPA, but this may change with time. Due to the lack of a cookie, we give WPA a (4/6). Identity Protection: (0/4) WPA involves the client specifically answering the question “Who are you?”[12]. There is no plainer violation of identity protection than answering this question on the open air waves. WPA receives a score of (0/4). Ease and Cost of Implementation: (5/18) WPA is significantly more difficult to implement than WEP. The addition of two other parties, the RADIUS server and the certificate authority, require many more lines of code to implement the protocol correctly. While it is significantly more complex, the basic encryption scheme is still relatively simple, so WPA can still run on legacy hardware. Because of this, we give it a score of (7/18). Power Consumption: (1/4) In general, WPA does not consume much power. This is mainly due to the computational simplicity of the encryption scheme, but it can also be credited to the sleep mode standard with most implementations. Since WPA does not have a method for detecting attack and automatically sleeping for awhile, it receives only a score of 1/4 exactly like WEP. Novel Ideas: (0/2) Much like WEP, WPA neither addresses our own idea of determining physical location nor creates something completely new that our methodology does not cover. As a result, it also earns a score of (0/2). 20 David Rager Kandaraj Piamrat CS386M Fall 2004 802.11i / Robust Secure Network (RSN) While WPA implements the improvements possible on legacy hardware, RSN represents everything that we wanted to place in WPA but could not due to hardware restrictions. As a result, we will see a couple key differences between WPA and RSN. To make reading easier, those which are the same will be marked with a reference to the WPA explanation. RSN’s overall score is 51.0% Summary of techniques used in 802.11i EAP 3 party, multi way handshake Advanced Encryption Standard Symmetric cipher 128 bit keys Requires more computationally powerful hardware Packet Integrity Check (Counter Mode Encryption) Analysis of 802.11i / RSN RSN’s average score is: Authentication Capability: (6/8) See WPA. Encryption Strength: (15/16) AES provides a stronger encryption scheme over WEP’s RC4. AES provides solid strength, so we give it a score of (15/16). Integrity Guarantees: (4/4) With more expensive hardware, AES can use the integrity method called CCM. Put shortly, CCM guarantees more than MIC, so it is rewarded with a score of (4/4). Prevention of Attacks: (4/6) See WPA. Identity Protection: (0/4) See WPA. 21 David Rager Kandaraj Piamrat CS386M Fall 2004 Ease and Cost of Implementation: (4/18) It is quite similar to WPA, except it is even more difficult to implement and upgrade since it requires new client hardware. This difficulty warrants RSN a score of (4/18). Power Consumption: (2/4) When AES is implemented in hardware, its power consumption is drastically less than when in software. As a result, we assume that in the long run power consumption of AES will be acceptable. Much like WPA, since RSN does not have a method for detecting attack and automatically sleeping for awhile, it receives only a score of (2/4), exactly like WEP and WPA. Novel Ideas: (0/2) Much like WEP and WPA, RSN neither addresses our own idea of determining physical location nor creates something completely new that our methodology does not cover. As a result, it also earns a score of (0/2). 22 David Rager Kandaraj Piamrat CS386M Fall 2004 VPN Virtual Private Network is a network constructed by using public wires to privately connect nodes. For example there are a number of systems that enable you to create networks using the Internet as the medium for data communication. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be decrypted upon interception. The mechanism used in VPN differs from the other approach by “Tunneling,” which is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both end points, called tunnel interfaces for where the packet enters and exits the network. To implement tunneling, we require 3 additional protocols (Carrier protocol, Encapsulating protocol, and Passenger protocol) VPN uses several methods for keeping the connection and data secure. Some mechanisms are firewalls, encryption, IPSec, and the AAA server: A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what types of packets are forwarded and which protocols are allowed. IPSec (Internet Protocol Security Protocol) provides enhanced security features such as better encryption algorithms and more comprehensive authentication. IPSec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as: router to router, firewall to router, PC to router, and PC to server AAA (Authentication, Authorization and Accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following: who you are (authentication), what you are allowed to do (authorization) and what you actually do (accounting). VPN seems to be powerful but VPN is also expensive. First of all, tunneling requires additional protocols to manage it (Carrier protocol, Encapsulating protocol, and Passenger protocol). Moreover there are other requirements for administrating the VPN - the administrator must know how much the VPN will be used and what type of data will be traveling through it. Analysis of VPN VPN is a type of overlay for WEP. Since it is not in and of itself a wireless protocol, it is not directly comparable. We can dream up many overlays for any of the technologies discussed, but we are focusing on securing the lowest layer possible. We include discussion of it above as an example of one solution to the WEP problem that industry has adopted but stop short of measuring it, because it is not the lowest layer of security. 23 David Rager Kandaraj Piamrat CS386M Fall 2004 Conclusion We have defined a methodology for evaluating wireless network security protocols. This methodology encompasses the following characteristics: Authentication Capability Encryption Strength Integrity Guarantees Prevention of Attacks Identity Protection Ease and Cost of Implementation Power Consumption Novel Ideas We then analyzed WEP, WPA, and 802.11i / RSN according to these metrics. As expected, WEP performed the worst according to our measurements, while WPA and 802.11i / RSN performed about the same – primarily because 802.11i / RSN requires better hardware support. This methodology helps highlight some of the desires for different types of networks. For a sensor network, where nodes are often left unconnected to power for a long duration, a high score in power consumption is desirable. The typical corporation probably wants the highest overall score and is probably willing to sacrifice some power and computation to obtain it. 24 David Rager Kandaraj Piamrat CS386M Fall 2004 References [1] Arbaugh, William A., Shankar, Narendar and Wan, Justin Y.C. Your 802.11 Wireless Network Has No Clothes. March 30, 2001. http://www.cs.umd.edu/~waa/wireless.pdf [2] Bellardo, John and Savage, Stefan. 802.11 Denial-of-Service Attacks: Real Vulnerabilites and Practical Solutions. USENIX Security Symposium. 2003. http://www.usenix.org/events/sec03/tech/bellardo.html [3] Borisov, Nikita, Goldberg, Ian, and Wagner, David. Intercepting Mobile Communications: The Insecurity of 802.11. CiteSeer. 2001. http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf [4] Cam-Winget, Nancy, Housley, Russ, Wagner, David, and Walker Jesse. Security Flaws in 802.11 Data Link Protocols. Communications of the ACM Vol. 46, No. 5. May 2003. [5] Callaway, Ed. Secure Low-Power Operation of Wireless Sensor Networks. Sensormag.com. January 2004. http://www.sensorsmag.com/articles/0104/22/main.shtml [6] Cohen, Alan and O’hara, Bob. 802.11i Shores Up Wireless Security. Network World. July 26, 2003. http://www.nwfusion.com/news/tech/2003/0526techupdate.html [7] Faria, D.B. and Cheriton, D.R.. DoS and Authentication in Wireless Public Access Networks. International Conference on Mobile Computing and Networking Proceedings of the ACM Workshop on Wireless Security Atlanta, GA, USA. 2002. [8] Gast, Matthew. Wireless LAN Security Protocols. O’Reilly Emerging Technology Conference. April 2003. http://conferences.oreillynet.com/presentations/et2003/gast_final.pdf [9] Geier, Jim. Beware of ARP Attacks. Wi-Fi Planet. November 24, 2003. http://www.wi-fiplanet.com/tutorials/article.php/3112991 [10] Glendinning, Duncan. 802.11 Security. Intel Developer Forum. September 17, 2003. http://www.intel.com/idf/us/fall2003/presentations/F03USMOBS169_OS.pdf [11] Klaus, Christopher W. WLAN FAQ. Internet Security Systems. October 6, 2002. http://www.iss.net/wireless/WLAN_FAQ.php [12] Knapp, Laura Jeanne and Hadley, Tom. Securing a Wireless LAN. IBM. http://www.lauraknapp.com/images/Wiresec.pdf 25 David Rager Kandaraj Piamrat CS386M Fall 2004 [13] Microsoft. Overview of the WPA Wireless Security Update in Windows XP. Microsoft Knowledge Base. September 23, 2004. http://support.microsoft.com/?kbid=815485 [14] Mistano, Marco. Wireless LAN Security. Cicsco. 2003. http://www.clusit.it/evento_ord_ing/misi_wlan.pdf [15] SMU. Modern Stream Ciphers. Retrieved on December 10, 2004. http://engr.smu.edu/~nair/courses/7349/stream.ppt#16 [16] Snyder, Joel and Thayer, Rodney. 802.11i: The Next Big Thing. Network World Fusion. October 10, 2004. http://www.nwfusion.com/reviews/2004/1004wireless80211i.html [17] Tech-faq. The Tech FAQ – Wireless Networks. Tech-FAQ.com. December 10, 2004. http://www.tech-faq.com/wireless-networks/wireless-networks.shtml [18] Welch, Donald J and Lathrop Scott D. A Survey of 802.11a Wireless Security Threats and Security Mechanisms, Information Technology and Operation Center, 2003 http://www.itoc.usma.edu/Documents/ITOC_TR-2003-101_(G6).pdf [19] Wikapedia. Replay Attack. Wikapedia.com. December 10, 2004. http://en.wikipedia.org/wiki/Replay_attack 26 David Rager Kandaraj Piamrat CS386M Fall 2004 Appendix Comparison of Categorical Performance % of Points 0% 20% 40% 60% 80% 100% Performance Category Authentication Capability Encryption Strength Integrity Guarantees WEP Prevention of Attacks WPA Identity Protection RSN Ease and Cost of Implementation Power Consumption Novel Ideas Main Contributors to Each Protocol's Success Novel Ideas Power Consumption % of Points Ease and Cost of Implementation Identity Protection Prevention of Attacks Integrity Guarantees Encryption Strength WEP WPA Protocol RSN Authentication Capability 27 David Rager Kandaraj Piamrat CS386M Fall 2004 The color red means that it was chosen for scoring that particular characteristic. 28 David Rager Kandaraj Piamrat CS386M Fall 2004 29 David Rager Kandaraj Piamrat CS386M Fall 2004 30 David Rager Kandaraj Piamrat CS386M Fall 2004 31 David Rager Kandaraj Piamrat CS386M Fall 2004 32 David Rager Kandaraj Piamrat CS386M Fall 2004 33 David Rager Kandaraj Piamrat CS386M Fall 2004 34 David Rager Kandaraj Piamrat CS386M Fall 2004 35 David Rager Kandaraj Piamrat CS386M Fall 2004 36