3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies (PHY and MAC layers) IEEE 802.11 Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 Local Area Networks (RALIR) /School of Engineering in Computer Science 2 Wireless? Why? Mobility (anytime) Coverage (anywhere) New applications potential (services) Healthcare Lab administration People with disabilities Point-of-Care testing Homecare administration Controlling patient data Education More efficient learning methods Wireless is ideal for campus-wide coverage http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Some Application Areas Retail Direct inventory management Mobile POS Self-checkout Mobile scanners Manufacturing Field based data collections Product management Inventory visibility and planning 3 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 4 Vehicular Networks Safety and transport efficiency In Europe around 40,000 people die and more than 1.5 millions are injured every year on the roads Traffic jams generate a tremendous waste of time and of fuel Most of these problems can be solved by providing appropriate information to the driver or to the vehicle http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 5 Vehicle Communication (VC) VC promises safer roads, … more efficient driving, http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 6 Vehicle Communication (VC) … more fun, … and easier maintenance. http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Rural communications Rural communications on the global agenda Connecting villages with Information and Communication Technologies (ICT) and establishing community access points Benefits E-business and e-commerce could play an important role in enabling local artisans to reach national and international markets Over 40% of the world’s population lives in rural and remote areas of developing countries and have difficult or no access to even basic telecommunications services. Development of telecommunications in rural and remote areas, therefore forms an important mission of the ITU Development sector. Yasuhiko Kawasumi, “Rural communications on the global agenda,” Global Survey on Rural Communications for the ITU-D on Communications for rural and remote areas. 7 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Rural populations and their ICT needs Needs of rural people in connection with e-services E-health, e-education and e-administration top the list as primary needs E-business and e-banking also scored highly ITU-D global survey, Doc 111/SG2 For many rural areas, electricity supply is simply non-existent or insufficient Telemedicine Training in Bhutan by Tokai University: Tokai University Institute of Medical Sciences donated the medical equipments with ICT functions and provided the training on the use of equipments. Tokai University Second Opinion center provides the assistance service over the internet when requested by the Bhutanese ends. 8 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 9 About the “Wireless Internet” WWAN (3G,4G?) Low throughput, Long range WMAN (Wi-Max) High throughput, short range WLAN (Wi-Fi) Low throughput, short range http://www.redes.upv.es/ralir/en/ WPAN Bluetooth RFID Local Area Networks (RALIR) /School of Engineering in Computer Science 1 0 Big Picture – WPAN’s WPAN technologies – RFID, Bluetooth RFID used in tagging applications, restricted environments (supermarkets, institutions) 10 billion RFID tags to be sold by the end of 2005 (source: Deloitte & Touche) Bluetooth – technology has matured 56% of mainstream devices commercialised will have Bluetooth support by 2008 (Source: IDC) Poor interoperability between vendors restricts the wide use of Bluetooth http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 1 1 Big Picture – WLAN’s WLAN – based on WiFi (802.11x) Adoption rate increased worldwide Up 51% more units sold globally in 2004 compared to 2003 (source: Infonetics Research) European cities’ infrastructure facilitates the adoption of WiFi against wired alternatives Old buildings High population density Poor telecommunications infrastructure Wi-Fi mesh infrastructure: Current backend implementations of Wi-Fi mesh infrastructure are based on proprietary solutions Usage: wireless coverage of WLANs, blanketing large areas with hot-spot coverage Coverage: 100m to 10km Data rate:54Mbps- 100Mbps http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 1 2 Big Picture –WMAN’s WiMax (Worldwide Interoperability for Microwave Access) Standards-based technology Deployment of broadband wireless networks based on the IEEE 802.16 standard Enables the delivery of last mile wireless broadband access as an alternative to cable and DSL Some characteristics of the 802.16- 2004 standard: Improve user connectivity Higher quality of services Full support for WMAN service Robust carrier-class operation http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Big Picture –WMAN’s Mobile Networks Evolution Download Speed HSDPA 1-10 Mbps 250-384 kbps UMTS 90-180 kbps 40 kbps EDGE GPRS 1995 1 3 http://www.redes.upv.es/ralir/en/ 2005 2015 3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies (PHY and MAC layers) IEEE 802.11 Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 Local Area Networks (RALIR) /School of Engineering in Computer Science 1 5 Antennas basics Directional Antenna "An antenna having the property of radiating or receiving electromagnetic waves more effectively in some directions than others". Omni-Directional Antenna "A hypothetical, lossless antenna having equal radiation intensity in all directions". For a WLAN antenna, the gain in dBi is referenced to that of an omnidirectional (isotropic) antenna (which is defined as 0 dBi). http://www.redes.upv.es/ralir/en/ YAGI Directional Antenna Local Area Networks (RALIR) /School of Engineering in Computer Science Directional antennas Yagi antenna (13,5 dBi) reach: 6 Km at 2 Mb/s 2 Km at 11 Mb/s 1 6 http://www.redes.upv.es/ralir/en/ Parabolic antenna (20 dBi) reach: 10 Km at 2 Mb/s 4,5 Km at 11 Mb/s Local Area Networks (RALIR) /School of Engineering in Computer Science 1 7 More antennas examples Horizontal Radiation http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 1 8 ISM frequency bands ISM (Industrial, Scientific and Medical) frequency bands: • 900 MHz band (902 … 928 MHz) • 2.4 GHz band (2.4 … 2.4835 GHz) • 5.8 GHz band (5.725 … 5.850 GHz) Anyone is allowed to use radio equipment for transmitting in these bands (provided specific transmission power limits are not exceeded) without obtaining a license. http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science ISM frequency band at 2.4 GHz The ISM band at 2.4 GHz can be used by anyone as long as (in Europe...) Transmitters using FH (Frequency Hopping) technology: • Total transmission power < 100 mW • Power density < 100 mW / 100 kHz Transmitters using DSSS technology: • Total transmission power < 100 mW • Power density < 10 mW / 1 MHz 1 9 http://www.redes.upv.es/ralir/en/ ETSI EN 300 328-1 requirements Local Area Networks (RALIR) /School of Engineering in Computer Science 2 0 Free-space loss The free-space loss L of a radio signal is: 4 d 4 d f L c 2 2 where d is the distance between transmitter and receiver, is the rf wavelength, f is the radio frequency, and c is the speed of light. The formula is valid for d >> , and does not take into account antenna gains (=> Friis formula) or obstucting elements causing additional loss. http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 2 1 Power budget graphical representation http://www.redes.upv.es/ralir/en/ 3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies (PHY and MAC layers) IEEE 802.11 Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 Local Area Networks (RALIR) /School of Engineering in Computer Science 2 3 IEEE 802 wireless network technology options Network definition IEEE standard Known as Wireless personal area network (WPAN) IEEE 802.15.1 Bluetooth Low-rate WPAN (LRWPAN) IEEE 802.15.4 ZigBee Wireless local area network (WLAN) IEEE 802.11 WiFi Wireless metroplitan area network (WMAN) IEEE 802.16 WiMAX http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science IEEE 802 standardisation framework 802.1 802.2 Logical Link Control (LLC) Management 802.3 802.5 802.11 Medium Access Control (MAC) MAC MAC CSMA/CA 802.3 802.5 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY PHY PHY CSMA/CD (Ethernet) 2 4 http://www.redes.upv.es/ralir/en/ Token Ring CSMA/CA (Wireless LAN) Local Area Networks (RALIR) /School of Engineering in Computer Science 2 5 CSMA/CA Wireless LAN CSMA/CA = Carrier Sense Multiple Access with Collision Avoidance Unlike wired LAN stations, WLAN stations cannot detect collisions => avoid collisions http://www.redes.upv.es/ralir/en/ 802.11 Medium Access Control (MAC) CSMA/CA 802.11 PHY 802.11a 802.11b A common MAC PHY layer, but PHY many PHY options 802.11g PHY Local Area Networks (RALIR) /School of Engineering in Computer Science WLAN physical layer (1) The original physical layer specified in 802.11 defines two signal formats: FHSS (Frequency Hopping Spread Spectrum) DSSS (Direct Sequence Spread Spectrum) Data rates supported: 1 and 2 Mbit/s. 2 6 http://www.redes.upv.es/ralir/en/ 802.11 Medium Access Control (MAC) CSMA/CA 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY ISM band: 2.4 … 2.4835 GHz Local Area Networks (RALIR) /School of Engineering in Computer Science WLAN physical layer (2) The first widely implemented physical layer was 802.11b that uses: DSSS (Direct Sequence Spread Spectrum) like in 802.11 but with larger bit rates: 1, 2, 5.5, 11 Mbit/s Automatic fall-back to lower speeds in case of bad radio channel. 2 7 http://www.redes.upv.es/ralir/en/ 802.11 Medium Access Control (MAC) CSMA/CA 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY ISM band: 2.4 … 2.4835 GHz Local Area Networks (RALIR) /School of Engineering in Computer Science WLAN physical layer (3) 802.11a operates in the 5.8 GHz band. The signal format is OFDM (Orthogonal Frequency Division Multiplexing) Data rates supported: Various bit rates from 6 to 54 Mbit/s. 802.11 Medium Access Control (MAC) CSMA/CA 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY 5 GHz frequency band 2 8 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science WLAN physical layer (4) 802.11g is the most recent physical layer, operating in the same band as 802.11b The signal format is OFDM (Orthogonal Frequency Division Multiplexing) Data rates supported: Various bit rates from 6 to 54 Mbit/s (same as 802.11a) 2 9 http://www.redes.upv.es/ralir/en/ 802.11 Medium Access Control (MAC) CSMA/CA 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY ISM band: 2.4 … 2.4835 GHz Local Area Networks (RALIR) /School of Engineering in Computer Science Wireless Fidelity (WiFi) The WiFi certification program of the Wireless Ethernet Compatibility Alliance (WECA) addresses compatibility of IEEE 802.11 Medium Access Control (MAC) 802.11 equipment CSMA/CA => WiFi ensures interoperability of equipment from different vendors. 3 0 http://www.redes.upv.es/ralir/en/ 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY WiFi5 WiFi Local Area Networks (RALIR) /School of Engineering in Computer Science Wireless Personal Area Network (WPAN) 802.1 802.2 LLC Management 802.3 MAC 802.3 PHY 802.5 802.11 MAC Data MACup rates to 700 kbit/s 802.5 (2.1 Mbit/s) 802.11 PHY PHY 802.15.1 802.15.4 802.16 MAC MAC MAC + + + PHY PHY PHY ISM band: 2.4 … 2.4835 GHz Bluetooth Special Interest Group (SIG) 3 1 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Low-rate WPAN (LR-WPAN) 802.1 802.2 LLC Management 802.3 802.5 802.11 MAC MAC MAC 802.3 802.5 802.11 PHY PHY PHY 802.15.1 Data rates MAC up to 250 kbit/s + PHY 802.15.4 802.16 MAC MAC + + PHY PHY ISM band: 2.4 … 2.4835 GHz ZigBee Alliance 3 2 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Wireless Metropolitan Area Network (WMAN) 802.1 802.2 LLC Management 802.3 802.5 802.11 MAC MAC MAC 802.3 802.5 802.11 PHY PHY PHY 802.15.1 802.15.4 Various data MAC MAC rates up to +100 Mbit/s + PHYand more PHY 802.16 MAC + PHY Various frequency bands (not only ISM) WiMAX 3 3 http://www.redes.upv.es/ralir/en/ 3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies (PHY and MAC layers) IEEE 802.11 Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 Local Area Networks (RALIR) /School of Engineering in Computer Science Possible architectures Independent Basic Service Set (IBSS) Decentralized structure Flexible: Permanent and temporary networks Allows to control power consumption infrastructure Basic Service Set (BSS) Components: Station (STA) Access Point (AP) or Point Coordinator (PC) Basic Service Set (BSS) Extended Service Set (ESS) 3 5 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science The Extended Service Set (ESS) BSS AP Distribution System (DS) WLAN LAN The standard does not define the implementation details exists a proposal by a group of industries: 3 6 http://www.redes.upv.es/ralir/en/ Inter-acces point protocol (IAPP) Local Area Networks (RALIR) /School of Engineering in Computer Science 3 7 Task Group f Scope of Project: to develop recommended practices for an InterAccess Point Protocol (IAPP) which provides the necessary capabilities to achieve multi-vendor Access Point interoperability across a Distribution System supporting IEEE P802.11 Wireless LAN Links. Purpose of Project: ... including the concepts of Access Points and Distribution Systems. Implementation of these concepts where purposely not defined by P802.11 ... As 802.11 based systems have grown in popularity, this limitation has become an impediment to WLAN market growth. This project proposes to specify the necessary information that needs to be exchanged between Access Points to support the P802.11 DS functions. The information exchanges required will be specified for, one or more Distribution Systems; in a manner sufficient to enable the implementation of Distribution Systems containing Access Points from different vendors which adhere to the recommended practices Status: Work has been completed and is now part of the Standard as a recommended practice. http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Frames structure Types of addresses: • Source address (SA) • Destination Address (DA) • Transmitter Address (TA) • management (00) • control (01), • data (10), • reserved (11) 3 8 http://www.redes.upv.es/ralir/en/ • Receiver Address (RA) • BSS identifier (BSSID) Función To DS From DS Addr. 1 Addr. 2 Addr. 3 Addr. 4 IBSS 0 0 RA = DA SA BSSID - From the AP 0 1 RA = DA BSSID SA - To the AP 1 0 RA = BSSID SA DA - Wireless DS 1 1 RA TA DA SA Local Area Networks (RALIR) /School of Engineering in Computer Science 3 9 BSSID y SSID BSSID (Basic Service Set Identity) BSS: AP’s MAC address Ad-Hoc: 46 bit random number SSID (Service Set ID) Known as the Network Name Length: 0~32 bytes 0: is the broadcast SSID Handled either manually or automatically Should be unique; used to distinguish WLAN Access point and station that would like to form a unique WLAN should use the same SSID http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Addressing and DS bits DS TA RA (BSSID) SA/TA AP AP SA Client RA AP DA Client DA Server Server 4 0 Función To DS From DS Addr. 1 Addr. 2 Addr. 3 Addr. 4 IBSS 0 0 RA = DA SA BSSID - From the AP 0 1 RA = DA BSSID SA - To the AP 1 0 RA = BSSID SA DA - Wireless DS 1 1 RA TA DA SA http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 4 1 Services The IEEE 802.11 architecture defines 9 services: for the station and for the distribution Station services: Authentication Deauthentication Privacy WEP Data delivery Similar to connect/disconnect a cable to a traditional network Distribution services: Association Disassociation Reassociation Distribution integration http://www.redes.upv.es/ralir/en/ generates a connection between a STA and a AP like association but informing about the previous AP connects the WLAN with other LANs; Local Area Networks (RALIR) /School of Engineering in Computer Science State variables and services Class 1 frames Successful authentication Class 1 & 2 frames Successful authentication or reassociation Class 1, 2 & 3 frames 4 2 State 1: unauthenticated, unassociated http://www.redes.upv.es/ralir/en/ In a IBSS there is neither auth., nor ass. Data service is allowed Deauthentication notification State 2: authenticated, unassociated Deauthentication notification Disassociation notification State 3: authenticated, associated A STA can be authenticated with various AP but it can be associated with only one AP Local Area Networks (RALIR) /School of Engineering in Computer Science 4 3 Scanning Parameters: BSStype, BSSID, SSID, ScanType, ChannelList, ProbeDelay, Min/MaxChannelDelay ScanType: Passive The stations wait for the APs beacons ScanType: Active Stations send probe requests scan report are generated The following phase is joining; this phase precedes the sequence of actions up to association http://www.redes.upv.es/ralir/en/ CSMA/CA with binary exponential backoff No contention The minimum protocol consists of two frames: the data and the ACK The 5 timing values: • Slot time • SIFS: short interframe space (< slot Point Coordination Function (PCF) Distributed Coordination Function (DCF) time) • PIFS: PCF interframe space (=SIFS+1slot) • DIFS: DCF interframe space (=SIFS+2slots) • EIFS: extended interframe space DIFS DIFS Contention window PIFS SIFS defer access http://www.redes.upv.es/ralir/en/ slot busy medium 4 4 MAC Local Area Networks (RALIR) /School of Engineering in Computer Science The MAC: reliable data delivery With contention Local Area Networks (RALIR) /School of Engineering in Computer Science DCF behaviour The back off values are chosen inside the congestion window. That is, inside the interval [0, CW] CW can vary between 31 slots (CWmin) and 1023 slots (CWmax) CW is incremented after every failed sending and reset after every successful transmission B1 = 25 B1 = 5 wait data data B2 = 20 wait B2 = 15 B1 and B2 are the back off interval at STA 1 and 2 CW = 31 4 5 http://www.redes.upv.es/ralir/en/ B2 = 10 Local Area Networks (RALIR) /School of Engineering in Computer Science Problematic configurations Hidden node Exposed node A A B B C 4 6 http://www.redes.upv.es/ralir/en/ C D Local Area Networks (RALIR) /School of Engineering in Computer Science RTS/CTS mechanism Based on the network allocation vector (NAV) DIFS source data RTS SIFS destination SIFS SIFS ACK CTS DIFS other STA 4 7 NAV (RTS) NAV (CTS) defer access http://www.redes.upv.es/ralir/en/ Contention window Local Area Networks (RALIR) /School of Engineering in Computer Science 4 8 PCF: Point Coordination Function PIFS SIFS PC SIFS SIFS Data+Poll STA1 Beacon STA2 STA3 Data+Poll DATA+ACK CP PIFS SIFS SIFS CF-End Data+Poll SIFS (no response) ACK Contention Free Period CP NAV Reset Station 2 sets NAV(Network Allocation Vector) Station 3 is hidden to the PC, it does not set the NAV. It continues to operate in DCF. Time • Beacons are used to keep timers in the stations synchronized and to send control information • The AP generates beacons at regular intervals • Stations know when the following beacon is arriving The target beacon transmission time (TBTT) is announced in the previous beacon http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 4 9 PCF: the superframe There is an repetition of contention-free (CFP) and contention (CP) periods A CFP and the following CP form a superframe. 802.11 periodic Superframe PC STAs CFP(Contention Free Period) CF-End CF-Poll Beacon DATA DATA http://www.redes.upv.es/ralir/en/ DATA CP(Contention Period) DATA DATA DATA Local Area Networks (RALIR) /School of Engineering in Computer Science 5 0 Broadcast trafic It is not possible to fragment frames whose destination is a group address Acknowledgement are not sent MAC does not offer any retransmission service to broadcast or multicast frames http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 802.11b channels overview The standard defines 14 channels, 22 MHz wide FCC only uses the first 11 In Spain only channel 10 and 11 3 channel do not overlap (1, 6,11) data rate is 11 Mbps 5 1 http://www.redes.upv.es/ralir/en/ 3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies (PHY and MAC layers) IEEE 802.11: SECURITY Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 Local Area Networks (RALIR) /School of Engineering in Computer Science Wireless LAN Security Issues Issue Wireless sniffer can view all WLAN data packets Anyone in AP coverage area can get on WLAN Wireless LAN (WLAN) client 802.11 WEP Solution Encrypt all data transmitted between client and AP Without encryption key, user cannot transmit or receive data Wired LAN access point (AP) Goal: Make WLAN security equivalent to that of wired LANs (Wired Equivalent Privacy) 5 3 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science WEP – Protection for 802.11b Wired Equivalent Privacy No worse than what you get with wire-based systems. Criteria: “Reasonably strong” Self-synchronizing – stations often go in and out of coverage Computationally efficient – in HW or SW since low MIPS CPUs might be used Exportable – US export codes (relaxed in Jan 2000 / “Wassenaar Arrangement”) Optional – not required to used it Objectives: confidentiality integrity authentication 5 4 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science WEP – How It Works Secret key (40 bits or 104 bits) can use up to 4 different keys Initialization vector (24 bits, by IEEE std.) total of 64 or 128 bits “of protection.” RC4-based pseudo random number generator (PRNG) Integrity Check Value (ICV): CRC 32 Frame header IV (4 bytes) Init Vector (3 bytes) 5 5 http://www.redes.upv.es/ralir/en/ Data (PDU) ( 1 byte) 1 byte Pad 6 bits Key ID 2 bits ICV (4 bytes) FCS Local Area Networks (RALIR) /School of Engineering in Computer Science WEP Encryption Process 1) Compute ICV using CRC-32 over plaintext msg. 2) Concatenate ICV to plaintext message. 3) Choose random IV and concat it to secret key and input it to RC4 to produce pseudo random key sequence. 4) Encrypt plaintext + ICV by doing bitwise XOR with key sequence to produce ciphertext. 5) Put IV in front of cipertext. Initialization Vector (IV) Seed Secret Key WEP PRNG Key Sequence Plaintext Integrity Algorithm Integrity Check Value (ICV) 5 6 http://www.redes.upv.es/ralir/en/ IV Ciphertext Message Local Area Networks (RALIR) /School of Engineering in Computer Science WEP Decryption Process 1) IV of message used to generate key sequence, k. 2) Ciphertext XOR k original plaintext + ICV. 3) Verify by computing integrity check on plaintext (ICV’) and comparing to recovered ICV. 4) If ICV ICV’ then message is in error; send error to MAC management and back to sending station. Secret Key IV Message Ciphertext WEP PRNG Key Sequence Plaintext Seed Integrity Algorithm ICV’ ICV 5 7 http://www.redes.upv.es/ralir/en/ ICV’ - ICV Local Area Networks (RALIR) /School of Engineering in Computer Science WEP Station Authentication Wireless Station (WS) sends Authentication Request to Access Point (AP). AP sends (random) challenge text T. WS sends challenge response (encrypted T). AP sends ACK/NACK. WS Auth. Req. Challenge Text Challenge Response Ack 5 8 AP http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science WEP Weaknesses Forgery Attack Packet headers are unprotected, can fake src and dest addresses. AP will then decrypt data to send to other destinations. Can fake CRC-32 by flipping bits. Replay Can eavesdrop and record a session and play it back later. Collision (24 bit IV; how/when does it change?) Sequential: roll-over in < ½ day on a busy net Random: After 5000 packets, > 50% of reuse. Weak Key If ciphertext and plaintext are known, attacker can determine key. Certain RC4 weak keys reveal too many bits. Can then determine RC4 base key. Well known attack described in Fluhrer/Mantin/Shamir paper 5 9 “Weaknesses in the Key Scheduling Algorithm of RC4”, Scott Fluhrer, Itsik Mantin, and Adi Shamir using : http://www.aircrack-ng.org/ http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Ways to Improve Security with WEP Use WEP(!) Change wireless network name from default any, 101, tsunami Turn on closed group feature, if available in AP Turns off beacons, so you must know name of the wireless network MAC access control table in AP Use Media Access Control address of wireless LAN cards to control access Use 802.11i support if available in AP Define user profiles based on user name and password 6 0 http://www.redes.upv.es/ralir/en/ War Driving in New Orleans (back in December 2001) Equipment Laptop, wireless card, software GPS, booster antenna (optional) Results 64 Wireless LAN’s Only 8 had WEP Enabled (12%) 62 AP’s & 2 Peer to Peer Networks 25 Default (out of the box) Settings (39%) 29 Used The Company Name For ESSID (45%) Local Area Networks (RALIR) /School of Engineering in Computer Science War Driving in New Orleans (back in December 2001) 6 1 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Other solutions VPN Connectivity PPTP L2TP Third Party IPSec Many vendors Password-based Layer 2 Authentication Cisco LEAP RSA/Secure ID IEEE 802.1x PEAP/MSCHAP v2 Certificate-based Layer 2 Authentication IEEE 802.1x EAP/TLS http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science WLAN Security Comparisons Security Level Ease of Deployment Usability and Integration Low High High VPN Medium Medium Low Password-based Medium Medium High IPSec High Low Low IEEE 802.1x TLS High Low High WLAN Security Type IEEE 802.11 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 802.1X Defines port-based access control mechanism Works on anything, wired and wireless Access point must support 802.1X No special encryption key requirements Allows choice of authentication methods using EAP Chosen by peers at authentication time Access point doesn’t care about EAP methods Manages keys automatically No need to preprogram wireless encryption keys http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Wi-Fi Protected Access (WPA) A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems Goals Enhanced Data Encryption (TKIP) Provide user authentication (802.1x) Be forward compatible with (802.11i) Provide non-RADIUS solution for Small/Home offices WPA-PSK Typically a software upgrade and Wi-Fi Alliance began certification testing for interoperability on Wi-Fi Protected Access products in February 2003 WPA2 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Wi-Fi Protected Access (WPA) WEPs IV only 24 bits and so are repeated every few hours WPA increased IV to 24 bits repeated 900 years WPA alters values acceptable as IVs Protects against forgery and replay attacks IV formed MAC address TSC TKIP: New password generated every 10,000 packets WPA-PSK Passphrase WPA 802.ii1 recommend 20-character password Crack is brute force based http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 802.1x and PEAP http://www.redes.upv.es/ralir/en/ 3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies (PHY and MAC layers) IEEE 802.11: CONFIGURATION Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 6 9 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 0 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 1 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 2 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 3 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 4 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 5 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 6 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 7 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 8 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 7 9 Local Area Networks (RALIR) /School of Engineering in Computer Science Linksys Wireless-G Access Point http://www.redes.upv.es/ralir/en/ 3.- Wireless technologies http://www.redes.upv.es/ralir/en/ Bluetooth Local Area Networks/School of Engineering in Computer Science/2009-2010 Local Area Networks (RALIR) /School of Engineering in Computer Science Bluetooth history De facto standard - open specifications. publicly available on Bluetooth.com: http://bluetooth.com/Bluetooth/Technology/Works/ Bluetooth specs developed by Bluetooth SIG. February 1998: The Bluetooth SIG is formed promoter company group: Ericsson, IBM, Intel, Nokia, Toshiba May 1998: The Bluetooth SIG goes “public” July 1999: 1.0A spec (>1,500 pages) is published December 1999: ver. 1.0B is released December 1999: The promoter group increases to 9 3Com, Lucent, Microsoft, Motorola February 2000: There are 1,500+ adopters Versions: 0.7 0.9 1.0A 1.0B 1.1 … November 2003: release 1.2 November 2004: release 2.0+EDR (EDR or Extended Data Rate) triples the data rate up to about 3 Mb/s Currently (July 2007): release 2.1+EDR Next specification (2Q08) will include ability to utilize additional radio technologies to enable high speed Bluetooth applications. 8 1 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 8 2 Versions The 1.2 version, unlike the 1.1, provides a complementary wireless solution to co-exist Bluetooth and Wi-Fi in the 2.4 GHz spectrum without interference between them. uses the technique "Adaptive Frequency Hopping (AFH), which runs a more efficient transmission and a more secure encryption. offers voice quality (Voice Quality - Enhanced Voice Processing) with less noise, and provides a faster configuration of communication with other Bluetooth devices within range of reach. Version 2.0, created to be a separate specification, mainly incorporates the technique "Enhanced Data Rate (EDR) that allows you to improve transmission speeds up to 3Mbps while trying to solve some errors specification 1.2. http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Release 2.1 Near Field Communication (NFC) Technology NFC may also be used in the new pairing system, enabling a user to hold two devices together at a very short range to complete the pairing process. Lower Power Consumption Reduced power consumption means longer battery life in devices like mice and keyboards. Bluetooth Specification Version 2.1 + EDR can increase battery life by up to five times. Improved Security For pairing scenarios that require user interaction, eavesdropper protection makes a simple six-digit passkey stronger than a 16-digit alphanumberic character random PIN code. Improved pairing also offers "Man in the Middle" protection that in reality eliminates the possibility for an undetected middle man intercepting information. 8 3 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 8 4 Bluetooth usage Low-cost, low-power, short range radio a cable replacement technology Common (File transfer, synchronisation, internet bridge, conference table) Hidden computing (background synchronisation, audio/video player) Future (PC login, remote control) Why not use Wireless LANs? power cost http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 8 5 Bluetooth RF 1 Mb/s symbol rate Normal range 10m (0dBm) Optional range 100m (+20dBm) Normal transmission power 0dBm (1mW) Optional transmission power -30 to +20dBm (100mW) Receiver sensitivity -70dBm Frequency band 2.4Ghz ISM band Gross data rate 1Mbit/s Max data transfer 721+56kbps/3 voice channels Power consumption 30uA(max), 300uA(standby), ~50uA(hold/park) Packet switching protocol based on frequency hop scheme with 1600 hops/s http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 8 6 Bluetooth Power Class Table Power Class Max Output Power Max Output Power Expected Range Range in Free Space Class 1 100mW 20dBm 42m 300m Class 2 2.5mW 4dBm 16m 50m Class 3 1mW 0dBm 10m 30m http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Bluetooth Network Topology Bluetooth devices have the ability to work as a slave or a master in an ad hoc network. The types of network configurations for Bluetooth devices can be three. Single point-to-point (Piconet): In this topology the network consists of one master and one slave device. Multipoint (Piconet): Such a topology combines one master device and up to seven slave devices in an ad hoc network. o Scatternet: A Scatternet is a group of Piconets linked via a slave device in one Piconet which plays master role in other Piconet. The Bluetooth standard M M M Master/Slave S M S S 8 7 http://www.redes.upv.es/ralir/en/ S S S i) Piconet (Pointto-Point) S S ii) Piconet (Multipoint) S S iii) Scatternet does not describe any routing protocol for scatternets and most of the hardware available today has no capability of forming scatternets. Some even lack the ability to communicate between slaves of one piconet or to be a member of two piconets at the same time. Local Area Networks (RALIR) /School of Engineering in Computer Science Bluetooth stack: short version Applications RFCOMM SDP L2CAP HCI Link Manager Baseband RF 8 8 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Transport Protocol Group (contd.) Radio Frequency (RF) Sending and receiving modulated bit streams Baseband Defines the timing, framing Flow control on the link. Link Manager The Radio, Baseband and Link Manager are on firmware. The higher layers could be in software. The interface is then through the Host Controller (firmware and driver). The HCI interfaces defined for Bluetooth are UART, RS232 and USB. Managing the connection states. Enforcing Fairness among slaves. Power Management Logical Link Control & Adaptation Protocol Handles multiplexing of higher level protocols Segmentation & reassembly of large packets Device discovery & QoS 8 9 BLUETOOTH SPECIFICATION, Core Version 1.1 page 543 Source: Farinaz Edalat, Ganesh Gopal, Saswat Misra, Deepti Rao http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 9 0 End to End Overview of Lower Software Layers to Transfer Data BLUETOOTH SPECIFICATION, Core Version 1.1 page 544 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 9 1 Physical Link Definition Synchronous Connection-Oriented (SCO) Link circuit switching symmetric, synchronous services slot reservation at fixed intervals Asynchronous Connection-Less (ACL) Link packet switching (a)symmetric, asynchronous services polling access scheme http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science 9 2 ACL data rates P a c k e tt y p e N a m e S y m m e t r ic ( k b p s ) 1s lo t+ F E C D M 1 1 0 8 .8 1 0 8 .8 1 0 8 .8 1s lo t D H 1 1 7 2 .8 1 7 2 .8 1 7 2 .8 3s lo t+ F E C D M 3 2 5 6 .0 3 8 4 .0 5 4 .4 3s lo t D H 3 3 8 4 .0 5 7 6 .0 8 6 .4 5s lo t+ F E C D M 5 2 8 6 .7 4 7 7 .8 3 6 .3 5s lo t D H 5 4 3 2 .6 7 2 1 .0 5 7 .6 http://www.redes.upv.es/ralir/en/ A s y m m e t r ic ( k b p s ) Local Area Networks (RALIR) /School of Engineering in Computer Science Multi-slot packets fn Single slot Three slot Five slot 9 3 http://www.redes.upv.es/ralir/en/ fn+1 fn+2 fn+3 fn+4 fn+5 Local Area Networks (RALIR) /School of Engineering in Computer Science Symmetric single slot fn fn+1 fn+2 Master Slave 9 4 http://www.redes.upv.es/ralir/en/ fn+3 fn+4 fn+5 fn+6 fn+7 fn+8 fn+9 fn+10 fn+11 fn+12 Local Area Networks (RALIR) /School of Engineering in Computer Science Mixed Link Example MASTER SCO ACL SLAVE 1 SLAVE 2 SLAVE 3 9 5 http://www.redes.upv.es/ralir/en/ SCO ACL ACL SCO SCO ACL Local Area Networks (RALIR) /School of Engineering in Computer Science Polling on ACL links Slave is allowed to send only after it has been polled. Master polls slave at least Npoll slots (negotiated). Master may send at will. Polling algorithm is proprietary. POLL Data Master Data Slave Slot TDD frame 9 6 http://www.redes.upv.es/ralir/en/ time Local Area Networks (RALIR) /School of Engineering in Computer Science 9 7 Bluetooth Connection States There are four Connection states on Bluetooth Radio: Active: Both master and slave participate actively on the channel by transmitting or receiving the packets (A,B,E,F,H) Sniff: In this mode slave rather than listening on every slot for master's message for that slave, sniffs on specified time slots for its messages. Hence the slave can go to sleep in the free slots thus saving power (C) Hold: In this mode, a device can temporarily not support ACL packets and go to low power sleep mode to make the channel available for things like paging, scanning etc (G) Park: Slave stays synchronized but not participating in the Piconet, then the device is given a Parking Member Address (PMA) and it loses its Active Member Address (AMA) (D,I) http://www.redes.upv.es/ralir/en/ A H B C Master H D E I G Bluetooth Connection States C F Local Area Networks (RALIR) /School of Engineering in Computer Science Bluetooth Forming a Piconet 9 8 Inquiry: Inquiry is used to find the identity of the Bluetooth devices in the close range. Inquiry Scan: In this state, devices are listening for inquiries from other devices. Inquiry Response: The slave responds with a packet that contains the slave's device access code, native clock and some other slave information. Page: Master sends page messages by transmitting slave's device access code (DAC) in different hop channels. Page Scan: The slave listens at a single hop frequency (derived from its page hopping sequence) in this scan window. Slave Response: Slave responds to master's page message Master Response: Master reaches this substate after it receives slave's response to its page message for it. http://www.redes.upv.es/ralir/en/ Master Inquiry Slave 1 Inquiry Scan 2 3 Page Inquiry Response 4 5 Page Scan Slave Response 6 Master Response 7 Connection Connection Forming a Piconet Procedures Local Area Networks (RALIR) /School of Engineering in Computer Science SDP - Service Discovery Focus Service discovery within Bluetooth environment Optimized for dynamic nature of Bluetooth Services offered by or through Bluetooth devices Some Bluetooth SDP Requirements (partial list) Search for services based upon service attributes and service classes Browse for services without a priori knowledge of services Suitable for use on limited-complexity devices Enable caching of service information How it works? Establish L2CAP connection to remote device Query for services Search for specific class of service, or Browse for services Retrieve attributes that detail how to connect to the service Establish a separate (non-SDP) connection to use the service 9 9 http://www.redes.upv.es/ralir/en/ Local Area Networks (RALIR) /School of Engineering in Computer Science Packet Structure 72 bits 54 bits Access Code Header Payload Control packets ID* Null Poll FHS DM1 Guard Data/voice packets Voice HV1 HV2 HV3 DV •No retries •No CRC •FEC (optional) 1 0 0 220s 0 - 2745 bits Source: Farinaz Edalat, Ganesh Gopal, Saswat Misra, Deepti Rao http://www.redes.upv.es/ralir/en/ data (136 bits) DH1 DH3 DH5 (2712 bits) DM1 DM3 DM5 Header Data •ARQ •CRC •FEC (optional) CRC 1 0 1 Local Area Networks (RALIR) /School of Engineering in Computer Science Bluez http://www.redes.upv.es/ralir/en/