Chapter 06
Wireless Network Security
1
Outline
Introduction
Thwarting malicious behavior
802.11 Wireless Network Security
2
6.1 Introduction
3
The Internet : something went wrong
Network deployment
Observation
of new misdeeds
(malicious or selfish)
Install security patches
(anti-virus, anti-spam, anti-spyware,
anti-phishing, firewalls,…)
“The Internet is Broken”
MIT Technology Review,
Dec. 2005 – Jan. 2006
 NSF FIND, GENI, etc.
4
Where is this going ?
MIT Technology Review,
Dec. 2005 – Jan. 2006
The Economist, April 28, 2007
What if tomorrow’s wireless networks are even more unsafe than today’s Internet5?
Wireless networks are rapidly becoming
pervasive.
• How many of you have web-enabled cell
phones?
• How many of you have networked PDAs and
Pocket PCs?
• How many of you have laptops with wireless
network cards?
• How many of you have wireless networks at
work? at home?
• How many of you use wireless networks
when you are out and about?
6
Of those of you who have wireless devices,
how many of you:
• protect your wireless device with a
password?
• encrypt the data in your wireless device?
• employ any type of security with your
wireless device?
• employ security with your wireless network?
7
Upcoming wireless networks
• New kinds of networks
– Personal communications
•
•
•
•
•
•
Small operators, community networks
Cellular operators in shared spectrum
Mesh networks
Hybrid ad hoc networks (also called “Multi-hop cellular networks”)
“Autonomous” ad hoc networks
Personal area networks
– Vehicular networks
– Sensor and RFID networks
– …
• New wireless communication technologies
–
–
–
–
–
Cognitive radios
MIMO
Ultra Wide Band
Directional antennas
…
8
Upcoming wireless networks
• New kinds of networks
– Personal communications
•
•
•
•
•
•
Small operators, community networks
Cellular operators in shared spectrum
Mesh networks
Hybrid ad hoc networks (also called “Multi-hop cellular networks”)
“Autonomous” ad hoc networks
Personal area networks
– Vehicular networks
– Sensor and RFID networks
– …
• New wireless communication technologies
–
–
–
–
–
Cognitive radios
MIMO
Ultra Wide Band
Directional antennas
…
9
Community networks
Example: service reciprocation in community networks
• A phenomenon of growing relevance, led by FON, http://en.fon.com/
• FON claims
• to have raised a total of more than 30M$, notably from Google, Skype, and BT
• that the number of “Foneros” is around 830’000
10
Mesh Networks
Transit Access
Point (TAP)
11
Mesh Networks: node compromise
12
Mesh Networks: jamming
More on mesh networks:
• IEEE Wireless Communications, Special Issue on Wireless Mesh Networking,
Vol. 13 No 2, April 2006
13
Vehicular networks: why?
• Combat the awful side-effects of road traffic
– In the EU, around 40’000 people die yearly on the roads;
more than 1.5 millions are injured
– Traffic jams generate a tremendous waste of time and of fuel
• Most of these problems can be solved by providing
appropriate information to the driver or to the vehicle
14
Example of attack : Generate
“intelligent collisions”
SLOW
DOWN
The way
is clear
• All carmakers are working on vehicular comm.
• Vehicular networks will probably be the largest
incarnation of mobile ad hoc networks
For more information:
http://ivc.epfl.ch
http://www.sevecom.org
15
Sensor networks
Vulnerabilities:
• Theft  reverse engineered and compromised, replicated
• Limited capabilities  risk of DoS attack, restriction on
cryptographic primitives to be used
• Deployment can be random  pre-configuration is difficult
• Unattended  some sensors can be maliciously moved around
16
RFID
• RFID = Radio-Frequency Identification
• RFID system elements
– RFID tag + RFID reader + back-end database
• RFID tag = microchip + RF antenna
– microchip stores data (few hundred bits)
– Active tags
• have their own battery  expensive
– Passive tags
• powered up by the reader’s signal
• reflect the RF signal of the reader modulated with stored data
RFID tag
tagged
object
RFID reader
reading
signal
ID
ID
detailed
object
information
back-end
database
17
Trends and challenges in wireless
networks
• From centralized to distributed to self-organized
 Security architectures must be redesigned
• Increasing programmability of the devices
 increasing risk of attacks and of greedy behavior
• Growing number of tiny, embedded devices
 Growing vulnerability, new attacks
• From single-hopping to multi-hopping
 Increasing “security distance” between devices and
infrastructure, increased temptation for selfish behavior
• Miniaturization of devices  Limited capabilities
• Pervasiveness  Growing privacy concerns
… Yet, mobility and wireless can facilitate certain security
mechanisms
18
Grand Challenge
Prevent ubiquitous
computing from becoming a
pervasive nightmare
19
Reasons to trust
organizations and individuals
• Moral values
– Culture + education, fear of bad reputation
• Experience about a given party
– Based on previous interactions
• Rule enforcement organization
}
Will lose relevance
Scalability challenge
– Police or spectrum regulator
• Usual behavior
– Based on statistical observation
Can be misleading
• Rule enforcement mechanisms
– Prevent malicious behavior (by appropriate security mechanisms)
and encourage cooperative behavior
20
Upcoming networks vs. mechanisms
Rule
enforcement
Upcoming mechanisms
wireless
networks
Small operators,
community networks
X
Cellular operators in
shared spectrum
X
X
X
X
X
X
X
X
X
X
X
?
X
X
Mesh networks
X
X
X
X
X
X
Hybrid ad hoc
networks
X
X
X
X
X
X
X
Self-organized
ad hoc networks
X
X
X
X
X
X
X
X
X
X
X
X
?
?
Sensor networks
X
X
X
X
X
?
RFID networks
X
?
X
Vehicular networks
Security
X
?
?
X
?
X
?
Cooperation
21
6.2 Thwarting malice: security
mechanisms
2. Thwarting malice: security mechanisms
2.1 Naming and addressing
2.2 Establishment of security associations
2.3 Secure neighbor discovery
2.4 Secure routing in multi-hop wireless networks
2.5 Privacy protection
2.6 Secure positioning
22
2.1 Naming and addressing
•
Typical attacks:
– Sybil: the same node has multiple identities
– Replication: the attacker captures a node and replicates it
 several nodes share the same identity
• Distributed protection technique in IPv6: Cryptographically Generated
Addresses (T. Aura, 2003; RFC 3972)  only a partial solution to the
problem
Public key
Hash function
Subnet prefix
Interface ID
64 bits
64 bits
For higher security
(hash function output
beyond 64 bits), hash
extension can be used
IPv6 address
Parno, Perrig, and Gligor. Detection of node replication attacks
in sensor networks. IEEE Symposium on Security and Privacy, 2005
23
2.2 Pairwise key establishment in
sensor networks
1. Initialization
m (<<k) keys in each sensor (“key ring of the node”)
Key
reservoir
(k keys)
2. Deployment
Probability for any 2 nodes
to have a common key:
Do we have a common key?
(( k  m)!) 2
p  1
k!(k  2m)!
24
Probability for two sensors to have a
common key
Eschenauer and Gligor, ACM CCS 2002
See also:
• Karlof, Sastry, Wagner: TinySec, Sensys 2004
• Westhoff et al.: On Digital Signatures in Sensor Networks, ETT 2005
25
2.3 Securing Neighbor Discovery:
Thwarting Wormholes
• Routing protocols will choose routes that contain wormhole links
– typically those routes appear to be shorter
– Many of the routes (e.g., discovered by flooding based routing
protocols such as DSR and Ariadne) will go through the wormhole
• The adversary can then monitor traffic or drop packets (DoS)
26
Wormholes are not specific to ad hoc
networks
access control system:
gate equipped with
contactless smart card reader
contactless
smart card
wormhole
contactless
smart card
emulator
fast
connection
smart card
reader
emulator
Hu, Perrig, and Johnson
Packet leashes: a defense against
wormhole attacks in wireless networks
INFOCOM 2003
user may be
far away from
the building
27
2.4 Secure routing in wireless ad hoc
networks
Exchange of messages in Dynamic Source Routing (DSR):
D
B
G
A
E
C
•
F







*:
*:
*:
*:
*:
*:
*:
[req,A,H;
[req,A,H;
[req,A,H;
[req,A,H;
[req,A,H;
[req,A,H;
[req,A,H;
-]  B, C, D, E
B]  A
C]  A
D]  A, E, G
E]  A, D, G, F
E,F]  E, G, H
D,G]  D, E, F, H
H  A: [H,F,E,A; rep; E,F]
Routing disruption attacks
–
–
–
–
–
•
H
A
B
C
D
E
F
G
routing loop
black hole / gray hole
partition
detour
wormhole
Resource consumption attacks
–
–
injecting extra data packets in the network
injecting extra control packets in the network
28
Operation of Ariadne illustrated
D
B
G
A
C
E
H
F
A  *: [req, A, H, MACKAH, (), ()]
E  *: [req, A, H, h(E|MACKAH), (E), (MACKE,i)]
F  *: [req, A, H, h(F|h(E|MACKAH)), (E, F), (MACKE,i, MACKF,i)]
H  F: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, ()]
F  E: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, (KF,i)]
E  A: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, (KF,i, KE,i)]
29
Secure route discovery with the
Secure Routing Protocol (SRP)
1
S
8
2
V1
7
3
V2
6
4
V3
5
T
Route Request (RREQ): S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID)
(1) S broadcasts RREQ;
(2) V1 broadcasts RREQ, V1;
(3) V2 broadcasts RREQ, V1, V2;
(4) V3 broadcasts RREQ, V1, V2, V3;
Route Reply (RREP): QID, T, V3, V2, V1, S,
MAC(KS,T, QID, QSEQ, T, V3, V2, V1, S)
(5) T → V3 : RREP;
(6) V3 → V2 : RREP;
(7) V2 → V1 : RREP;
(8) V1 → S : RREP;
QSEQ: Query Sequence Number
QID : Query Identifier
30
More on secure routing
Hu, Perrig, and Johnson:
Ariadne, Sept. 2002, SEAD, Jun. 2002
Sangrizi, Dahill, Levine, Shields, and Royer: ARAN,
Nov. 2002
Secure Route
Discovery
Papadimitratos and Haas: Secure Routing
Protocol (SRP), Jan. 2002
Zapata and Asokan: S-AODV, Sept.
2002
All above proposals are difficult to assess
 G. Ács, L. Buttyán, and I. Vajda:
Provably Secure On-demand Source Routing
IEEE Transactions on Mobile Computing, Nov. 2006
Secure Data
Communication
Cross-layer
attacks
Papadimitratos and Haas: Secure Single Path
(SSP) and Secure Multi-path (SMT) protocols,
Jul./Sept. 2003, Feb. 2006
Aad, Hubaux, Knightly:
Jellyfish attacks, 2004
31
2.5 Privacy: the case of RFID
• RFID = Radio-Frequency Identification
• RFID system elements
– RFID tag + RFID reader + back-end database
• RFID tag = microchip + RF antenna
– microchip stores data (few hundred bits)
– Active tags
• have their own battery  expensive
– Passive tags
• powered up by the reader’s signal
• reflect the RF signal of the reader modulated with stored data
RFID tag
tagged
object
RFID reader
reading
signal
ID
ID
detailed
object
information
back-end
database
32
RFID privacy problems
• RFID tags respond to reader’s query automatically,
without authenticating the reader
 clandestine scanning of tags is a plausible threat
• Two particular problems:
1. Inventorying: a reader can silently determine what objects
a person is carrying
•
•
•
•
•
books
medicaments
banknotes
underwear
…
2. Tracking: set of readers
can determine where a given
person is located
suitcase:
Samsonit
e
watch: Casio
jeans: Lee
Cooper
• tags emit fixed unique identifiers
• even if tag response is not unique it is possible
to track a set of particular tags
Juels A., RFID Security and Privacy: A Research Survey,
IEEE JSAC, Feb. 2006
book:
Wireless
Security
shoes: Nike
33
Who is malicious? Who is selfish?
Harm everyone: viruses,…
Selective harm: DoS,…
Big brother
Spammer
Cyber-gangster:
phishing attacks,
trojan horses,…
Greedy operator
Selfish mobile station
There is no watertight boundary between malice and selfishness
 Both security and game theory approaches can be useful
35
Conclusion
• Upcoming wireless networks bring formidable
challenges in terms of security
• The proper treatment requires a thorough
understanding of upcoming wireless networks, of
security
36
6.3 802.11 Wireless Network
Security
37
■
In this lecture, we shall discuss three standards for
securing wireless networks.
- WEP (Wired Equivalent Privacy)
- WPA (Wireless Protected Access)
- WPA2
■ Actually, they are a family, called IEEE 802.11.
■ The corresponding commercial specifications are
certified by Wi-Fi Alliance.
38
WEP (Wired Equivalent Privacy)
■ Specified
by IEEE Standard 802.11a, 1997.
■ Aimed to make wireless as secure as wired networks.
■ Security flaws were identified before the ink was dry.
■ Most serious attacks can recover the the WEP key by
analysing a few million encrypted packets.
■ In 2005, a group from FBI showed a demo to break a
WEP protected wireless network within 3 minutes by
using publicly available tools.
■ Open Source utilities: aircrack-ng, weplab, WEPCrack,
…
39
How WEP works?
■ WEP
uses RC4 to encrypt each packet M.
■ A WEP key K is shared among AP and all clients.
■ More specifically, the ciphertext C is generated by
C=(M||ICV)RC4(IV||K).
ICV: (non-cryptographic) checksum.
IV: a per-packet initialization value (3 bytes=24 bits).
K: from 5 to 16 bytes.
■ Finally, IV||C is transferred to the receiver.
40
Illustration of WEP:
802.11 Hdr
data
||
WEP Key
ICV
CRC-32
Per-Frame Key
K
802.11 Hdr
||
IV
RC4
Encryption
Data
ICV
41
Weaknesses in WEP:
■ Key
management and key size
The same shared secret key is used for both
authentication and encryption
■ Authentication
Only one-way authentication. That is, AP is not
authenticated to the client.
■ Integrity
It is possible to modify some bits in a message so that
the resulting message still passes the ICV test.
42
■ Confidentiality
- WEP RC4 can be compromised easily by passively
analysing several millions of packets.
- IV is short, reused, and not encrypted.
- RC4 has some weaknesses.
- Technical details can be found in the following paper.
A. Stubblefield, J. Ioannidis, and A. D. Rubin. Using
the Fluhrer, Mantin, and Shamir Attack to Break WEP.
2001.
http://citeseer.ist.psu.edu/stubblefield01using.html
43
WPA (Wireless Protected Access) or WEP2:
■ An
interim solution to replace WEP.
■ Aimed to work well with hardware designed for WEP.
■ Still use RC4 for encryption.
■ Several new elements were introduced:
- TKIP (Temporal Key Integrity Protocol).
- MIC (message integrity code) for preventing forgery.
- IV=48 bits for preventing replay attack.
- A mixing function for generating per-frame key.
44
Illustration of WPA (or WEP2):
802.11 Hdr
data
TKIP
||
WEP Key
K
MIC
MIC
Function
Per-Frame Key
Mixing
Function
802.11 Hdr
K’
IV
RC4
Encryption
Data
Integrity
Key
MIC
45
WPA2:
■ A long
term solution specified by IEEE 802.11i in 2004.
■ Aimed to work with new hardware.
■ Use AES (in a new mode called CCM) for encryption.
■ Several new elements were introduced:
- The base key K=128 bits.
- MIC is 64 bits for preventing forgery.
- IV=48 bits for preventing replay attack.
- Packet sequence number is used to generate IV.
46
Format of WAP2:
IV
Key ID
Encrypted by AES
802.11 Hdr 802.11i Hdr
Data
MIC
FCS
Authenticated by MIC
- FCS: Frame Check Sequence
- Check here for some nice diagrams for Wi-Fi Encryption:
http://xirrus.gcsmarket.com/pdfs/Xirrus_WiFiEncryption.pdf
47