security problems in wireless networks - cse...
TRANSCRIPT
By Dr. Donggang Liu 2
Security of Wireless Networks
• Wireless networks are everywhere– more and more electronic devices are becoming wireless
• However, ensuring security in wireless networks are challenging– Wireless links are open to all entities
• no physical protection of links• anyone can send and receive from the channel
– Links are broadcast in nature• overhearing signals, generating collisions
– Power and computing resource on are usually limited• Many “wired” solutions are not practical
By Dr. Donggang Liu
Example Attacks
• Eavesdropping the transmission
• Injecting bogus messages• Replaying previous recorded message
• Unauthorized access to services• Denial of service
–Signal jamming
3
By Dr. Donggang Liu
Protecting Wireless Networks
• Confidentiality– Messages sent over wireless links must be always
encrypted
• Integrity– The original of messages must be verified
– No one can modify messages without being detected
– The freshness of the messages must be ensured
• Availability– Service shall be always available– Jamming has to be handled
4
By Dr. Donggang Liu
Security Attacks
• Weakness in wireless systems–Design level and implementation level
• Attacks at different layers–Physical layer: jamming
–MAC layer: jamming, selfish behavior
–Network layer: routing, selfish behavior
5
By Dr. Donggang Liu
Physical Layer
• Radio signal comes with noise– SNR must be good enough for decoding
• Jamming– Constant jamming
• Inject noise signal continuously
– Reactive jamming• Jam only when there are signals in the air
• More effective, but you need to detect the presence of radio signal
6
By Dr. Donggang Liu
MAC Layer
• Fingerprinting physical devices– user privacy: tracking a specific user
– location privacy: determine the location of a specific device/user
• Three methods– Using clock skew– Using radio frequency characteristics
– Using RSS signature
• Fingerprinting could be used for legitimate purpose– It could be fooled by attackers
7
By Dr. Donggang Liu
MAC Layer
• Jamming– Constant jamming
• Send packets continuously
– Reactive jamming• Send packets to corrupt existing transmission
• Selfish behavior– Manipulate MAC protocol to maximize
bandwidth• Send packets without any back-off timer
8
By Dr. Donggang Liu
Network Layer
• Sybil attacks
• Node replication attacks• Wormhole attacks
• Selective routing• Routing black-hole
• Identify privacy
• Location privacy9
By Dr. Donggang Liu
GSM Security
• Main security component– subscriber authentication
• challenge-response protocol
• based on a long-term key shared with the home network operator
• support roaming without leaking long-term key
• Other security components– Confidentiality of the communication
• Messages are always encrypted with proper keys
– user privacy• Temporary identifiers during the network access
11
By Dr. Donggang Liu
The SIM Card• Subscribers must establish security associations with
the network– Subscriber Identify Module (SIM card)
• Tamper resistant– Information are destroyed if there is any physical
tampering
• Protected by a PIN code
• Removable from the phone
• Contain all data specific to an end user– Identity, PIN, secret keys, phone logs, ...
12
By Dr. Donggang Liu
GSM Authentication
13
Mobile Station Visited Network Home network
Identity (IMSI)
Identity (IMSI)
K R
Ke S(Ke, R, S)
RK R
Ke S’ S’ S = S’ ?
By Dr. Donggang Liu
Issues
• Focus on the protection of wireless communication – the wired part is not considered
• The visited network has all the data except the master secret key– Privacy of users are of great concern
• Successful attacks have been reported– Fake base stations
– Cloning of the SIM card • Tamper-resistance is not 100% guarantee
14
By Dr. Donggang Liu
WiFi Security
• WEP (Wired Equivalent Privacy)– Part of 802.11 specification
• Focus on the protection of wireless part– Make sure that it is at least as secure as a simple
wired LAN (without extra protection)
– Not intended for strong security
• Services include– access control to the wired network
• Done through the access point (AP)
– message confidentiality and integrity
15
By Dr. Donggang Liu
WEB Authentication
• A user device needs to authenticate itself to the AP
• Based on a preset key between the device and the AP– You need to get this key before joining the WiFi
network
• The protocol– STA->AP: request
– AP->STA: challenge (r) //128 bits long
– STA->AP: response (ek(r))
– AP->STA: Success/Fail
16
By Dr. Donggang Liu
WEP Encryption• Based on RC4 (by Rivest for RSA 1987)
• Encryption procedure– For each message
• RC4 is initialized with the shared secret and IV– IV (24 bits) changes for every message
• RC4 produces a pseudo-random byte sequence• This byte sequence is XORed to the message
• Integrity Protection– Based on an encrypted CRC value
• Compute an ICV and append it to the message
• The message and ICV are encrypted together
17
By Dr. Donggang Liu
Detailed Protocol
• Encryption– IV, K^(Message || ICV)
• Decryption– Extract IV
– K^(the remaining part) • -> recovered message • -> (Message’ || ICV’)
– Checks if Message’ and ICV’ matches
• K= RC4(IV || secret key)
– The pseudo random byte sequence
18
By Dr. Donggang Liu
WEP Keys
• Shared keys– A default key for encryption/decryption
– You can have multiple default keys • But in practice, we often use one default key
– users use the same key for access• They can decrypt each other’s message
• Key mapping keys– Individual keys for users
– AP maintains a table of keys shared with users– An index is used to determine which one to use
19
By Dr. Donggang Liu
WEP Flaws
• Access point is not authenticated– A user may establish connection with a rogue AP
– Traffic to and from users may intercepted
• Impersonation during authentication– Protocol
• AP->STA: r
• STA->AP: IV || r^K
– Attacker can recompute K and impersonate STA• AP->attacker: r’
• attack->AP: IV || r’^K
20
By Dr. Donggang Liu
WEP Flaws
• Replay attack– IV does not have to be increased after each message
• IV can be reused
• FIX: increase IV by 1 for every message
• ICV problem– CRC used for computing ICV is a linear function
• CRC(X^Y)=CRC(X)^CRC(Y)
– Attacker intercept ((M || CRC(M)) ^ K) • And XOR it with (M’ ^ M || CRC(M’ ^ M))
• Where M’ is the target message
21
By Dr. Donggang Liu
WEP Flaws• IV reuse
– Assume it increases by 1 for every message)
– However, IV is 24 bits long -> 16,777,216 possibilities• After 16M messages, IV will be reused
• e.g., 11Mbps AP-> 700 packets per second -> 7 hours
• Weak RC4 keys– Due to the user of IV, RC4 will use a lot of keys during
message transmission
– However, some of the keys are weak• RC4 output is not random in the beginning
• Attacker can thus recover shared secret if a weak key is computed
– WEP encryption will be broken after a few million of messages
22