test bed for-security ieee

8/13/2019 Test Bed for-security IEEE

1/18

3G-WLAN Convergence: Vulnerability, Attacks

Possibilities and Security odel

u!a""ad S!er #!o"as agedan$%aculty o& 'lectrical 'ngineering ( Co")uter Science, %aculty o& 'lectrical 'ngineering ( Co")uter Science,

*nstitute &or #eleco""unication Syste", Ne+tGeneration

*nstitute &or #eleco""unication Syste", Ne+tGeneration

Netorks *ntegration AV., #ec!nical /niversity 0erlin1 Netorks *ntegration -AV., #ec!nical /niversity 0erlin1

%okus %raun!o&er #eleco""unication *nstitute %okus %raun!o&er #eleco""unication *nstitute0erlin, Ger"any 0erlin, Ger"any

s!er2&okus&raun!o&erde "agedan$2&okus&raun!o&erde

AbstractIn this paper we present the vulnerability, threats and

attacks for Third Generation (3G) networks converged with

W!" and propose the security #odel addressing the roa#ing

and non$roa#ing security scenarios% &any threats against 3Gnetwork resources can be realised by attacking the W!" access

network, therefore it is i#portant to identify the security

re'uire#ents for 3G$W!" inter$working and choose a security

solution that is robust and dyna#ic to different levels of W!"

access network% The proposed architecture is based on the

tensible !uthentication *rotocol (!*) for +I&

!uthentication - .ey !gree#ent (!.!) and authori/ation

procedures, and secure tunnel establish#ent using I.v0

(Internet .ey change) *rotocol to #ini#i/e security threats%

We will also discuss the ter#ination of fake or forge W!"

session to protect the user confidential infor#ation on vulnerable

wireless link% The develop#ent is part of ecure ervice

*rovisioning (*) 1ra#ework of I* &ulti#edia yste# (I&) at

3Gb Testbed of 1okus 1raunhofer%

Keywords- Third Generation Networks, Vulnerability, Threats

and Attacks, Authentication and Key Agreement), Secure Tunnel.

4 *N#567/C#*6N

#!e "a8or security c!allenge o& ireless netorking and"obile co""unication is to )rotect netork resources andsecure end users Additional security "easures are re9uired tocou) it! t!e interce)tion o& data on t!e radio inter&aces andillegiti"ate access to "obile services #!e interce)tion o&users data breaks t!e con&identiality o& users in&or"ation andt!e illegiti"ate use o& services cause "as9uerading and &alsec!arging t!e users %irst ti"e t!e security "easures ere takeninto account in second-generation digital cellular syste"s egin GS Global Syste" &or obile co""unications.netorks ;= !as ado)tedan en!anced security &ra"eork &or t!e /niversal obile#eleco""unication Syste"s /#S. to overco"e t!e

eaknesses o& security inGS and ot!er >G netorks*n re&erence o& 3G security:;3= identi&ies t!e security)rinci)les and ob8ectives, ;?=!ig!lig!ts t!e security t!reatsand re9uire"ents, ;@=e+)lains t!e access security&or *P-based services and ;,?= discuss t!e securityarc!itecture

#!e security and data

)rivacy is a big c!allenge in

t!e convergence o&

teleco""unication and

*nternet tec!nologies because

any single security solution is

not suitable to )rovideco")lete security #!e

integration o& di&&erent access

tec!nologies causes "uc!

vulnerability and t!e !ackers

get access to steal &inancial and

con&idential in&or"ation #!e

/S* /ser Service *dentity

odule. can be used re"otely

via WLAN client &ro" serial,

in&rared, or 0luetoot!

connection to act as a s"art

card reader #!is in&rastructure

is vulnerable involving "anyaccess tec!nologies like

*n&rared, 0luetoot! or

Bi)erlan> *n &act "any t!reats

on 3G netorks in&rastructure

"ay be understood by

attacking t!e WLAN access

netork #!ere&ore it is

i")ortant to identity t!e

security re9uire"ents &or 3G-

WLAN inter-orking and

c!oose a security solution t!at

is robust and dyna"ic to

di&&erent levels o& WLAN

access netork ;= #!e

)ro)ose 3G-WLAN security

"odel is designed in aligned

it! 3GPP tec!nical

s)eci&ications to secure *P

ulti"edia Subsyste" *S.

;D= services on to) o& WLAN

access netorks by )roviding

security and )rivacy solution to

users as ell as netork

)roviders

#!e )a)er is organi$ed as:section ** describes di&&erentWLAN access scenariosEsection *** e+)loresvulnerability, security treatsand attacks )ossibilitiesE

section *V is about t!esecurity "ec!anis"s to)rotect 3G netork resourcesand user in&or"ation overWLAN and last sectionconcludes t!e ork

3@ 3G-WLANACC'SSSC'NA5*6S

#!ere are to )ossible

scenarios o& 3G netorksit! WLAN access )oints

A. 3G Home Network overWLAN Architecture

*n t!e &irst scenario, t!eWLAN Access GateayWAG. ;= resides in 3G!o"e netork as s!on in&igure


2/18

%igure )rocedure is aut!enticated using '+tensibleAut!entication Protocol 'AP. S* or 'AP AFA ; #!e !o"enetork is res)onsible &or access control #!e c!argingrecords can be generated in t!e visited and1or t!e !o"e 3Gnetorks #!e W"and Wore&erence )oints are intra-o)erator

#!e !o"e 3G netork inter&aces to ot!er 3GPP netorks viat!e inter-o)erator W# re&erence )oint #!e 3G AAA )ro+yrelays access control signaling and accounting in&or"ation tot!e !o"e 3G AAA server uses W#re&erence )oint *t can alsoissue c!arging records to t!e visited netork o&&line c!argingsyste" !en re9uired ;= #!e 3G netork inter&aces toWLAN access netorks via Ware&erence )oint


3/18


4/18

H W!enever so"eone tries to re"otely access /S*,so"e sort o& alert ill be sent eg "essage like alloor disallo in order to aut!ori$e users access

3H #!e /*CC !olding device is res)onsible &orsc!eduling all access to t!e /*CC

?H #!e /S* security reuse ill be in consistent it!current security setting and ensure t!at user security isnot co")ro"ised ;=

3 ecurit' Attacks cearios*n a ty)ical WLAN-3G inter-orking scenarios t!e

attacker can set u) a rouge access )oint AP. &or e+a")leatte")t to get &ree access, "odi&y legiti"ate user tra&&ic orlaunc! denial o& service attack ost o& t!e attacks lunc! atWLAN access netork "ay !ave i")lications on 3Gnetorks #!e attacks can be de)loyed re"otely over t!e

*nternet by setting u) a radio 8u")er in a !ots)ot to t!eWLAN to beco"e a legiti"ate user #!e &olloing are t!e)ossible attacks on 3G t!roug! WLAN access netorks

1) Attacks at WLAN +ser ,*ui-met#!e user ter"inals "ay be in&ected by viruses, #ro8an

!orses or ot!er "alicious so&tare #!ese )rogra"s o)erateit!out t!e knoledge o& t!e user on !is ter"inal to launc!"ulti)le ty)es o& attacks:

H #ro8ans "ay "onitor user keyboard or sensitive datao)eration activities and &orard to anot!er "ac!ine

3H alicious so&tare residing on di&&erent !osts can beused to launc! 7istributed 7oS 77oS. attacksagainst a target

>. Attacks rom Attacker ,*ui-met or Access PoitSeveral ty)es o& attacks are )ossible i& t!e attacker !as

access to a la)to) it! WLAN inter&aces or Access Point %orso"e WLAN tec!nologies, layer > control signaling are not

integrity )rotected and causing 7oS attacks *& t!ey are not)rotected t!e attacker can easily eavesdro) on t!e tra&&icbeteen a user and AP #!is ty)e o& attack can cause di&&erentt!reats %or e+a")le:


5/18


6/18

%igure ? USIM EAP AKA Procedure

*nWLAN 3G*P

access,aut!entication is)er&or"ed ina)rotectedtunnel!ic!)rovidesencry)

tion,integrity)rotectionandre)lay)rotection #oestablis!tunnel&ast re-

aut!entication isused tos)eedu) t!e)rocedure *&identity

)rivacysu))ort isused by t!e!o"enetork

and t!e W-/'received ate")oraryidentity ina )reviousaut!entication, it illuse it int!e tunnelaut!entication )rocess;= !ic!ill bee+)lainedinsubsection7

#!ete")oraryidentity touser isassignednot &or along ti"eso t!at usercan not betraced *&identity)rivacy isused butt!e AAAserver &ailsto identi&yt!e user byits

te")oraryidentity,t!e AAAserver illre9uest t!e

ne+t one int!e&olloingt!e order:


7/18


8/18

B. ,AP Autheticatio a# /e' A!reemet 0A/A) Proce#ure#!e WLAN access aut!entication signaling are e+ecuted

beteen W-/' and 3G AAA server and based on '+tensibleAut!entication Protocol 'AP. ;


9/18


10/18


11/18

%igure @ USIM Fast Re-Authentication Procedure

SecondInternationalConference onAvailability,Reliability andSecurity (ARES'07)0-769-!77-!"07

#!0$00 % !007

Authorized

licensed uselimited to: IEEE

Xplore. Downloaded onMarch 23, 2009 at

11:53 from IEEE Xplore.Restrictions apply.


12/18

4. 6ast Re7Autheticatio Proce#ureW!en aut!entication )rocesses !ave to )er&or" &re9uently,

it can cause !eavy netork load and bandidt! congestion *nt!is situation it is "ore e&&icient to )er&or" &ast re-aut!entications #!e &ast re-aut!entication )rocess allos t!eWLAN-AN Access Netork. to aut!enticate )reviouslyaut!enticated user in a lig!ter )rocess as s!on in &igure @,instead o& )er&or"ing again &ull aut!entication , %ast re-

aut!entication re-uses keys )reviously derived during &ullaut!entication #!is )rocedure is brie&ly e+)lained as &ollos:

H #!e AAA server sends 'AP 5e9uest1AFA 5e-Aut!entication to W-/' via W-AN, containingCounter, Nounce, AC, )rotected ne+t aut!entication*7 and result *7 )ara"eters

3H #!e W-/' sends 5es)onse1AFA 5e-Aut!enticationcontaining Counter, AC and result *7 )ara"eters toAAA server

?H A&ter t!e veri&ication, t!e AAA server sends successnoti&ication in 'AP1AFA Noti&ication to client and t!eclient sends back AFA Noti&ication in t!e 'AP5es)onse


13/18

%igure USIM

Tunnel IKE

Procedure

SecondInternationalConferenceonAvailability,Reliability

and

Security(ARES'07)0-769-!77-!"07#!0$00 %!007

Authorizedlicensed use

limited to: IEEE Xplore.Downloaded on March 23,

2009 at 11:53 from IEEEXplore. Restrictions apply.


14/18

D. (ue% Autheticatio a# Authori8atio#!e P7G Packet 7ata Gateay. is t!e end device on

netork side &or tunnel and W-/' and AAA server use*nternet Fey '+c!ange *F'v>. )rotocol as s)eci&ied in ;4= toestablis! t!e tunnel #!e 'AP "essages over *F'v> ill bee+c!anged beteen AAA server and WLAN client via P7Gt!roug! W" inter&ace #!e P7G e+tracts t!e 'AP "essages

received &ro" t!e W-/' over *F'v>, and sends t!e" to t!eAAA server over 7ia"eter #!e co")lete )rocedure ise+)lained in &igure


15/18


16/18

%igure Fraud Detection and Session Termination

*& t!e in&or"ation is t!e sa"e as it! an ongoing session, t!en

t!e aut!entication e+c!ange is related to t!e ongoing session, so

t!ere is no need to do anyt!ing &or old sessions *& it is t!e sa"e

client but it! a di&&erent AC address, or it! a di&&erent

VPLN identity or it! di&&erent radio netork in&or"ation t!atis received t!an in any ongoing session, t!e AAA server t!en

considers t!at t!e aut!entication e+c!ange is related to a ne

WLAN access session *t ill ter"inate an old WLAN access

session a&ter t!e success&ul aut!entication o& t!e ne WLAN

Access session, based on t!e )olicy !et!er si"ultaneous

sessions are not alloed, or !et!er t!e nu"ber o& alloed

sessions !as been e+ceeded *& t!e AC addresses old and ne.

are e9ual and t!e WLAN radio netork

Second InternationalConference onAvailability, Reliabilityand Security (ARES'07)0-769-!77-!"07 #!0$00% !007

Authorized





17/18

in&or"ation received is di&&erent &ro" t!e old one, t!e nesession is considered to be a &raudulent one and t!e AAA

server ter"inates t!e ne session

>> C6NCL/S*6NS

#!is )a)er )rovides an arc!itectural and i")le"entation)ers)ective o& 3G Netork over WLAN security "odel #!e

)ro)osed "odel is based on 3GPP tec!nical s)eci&ications and)rotocols to use 3G services over WLAN access netorks in asecure and )rotected ay #!is researc! ork is )art o& SecureService Provisioning SSP. %ra"eork ;?= to )rovide secureservices to 3Gb #estbed ;, No3 >. >>@->@D, *SSN: ?: Q*nternet Fey '+c!ange*F'v>. ProtocolQ

;?


18/18

Authorized




test bed for-security ieee

Documents