VARNOST V BREZŽIČNIH OMREŽJIH
Download
Report
Transcript VARNOST V BREZŽIČNIH OMREŽJIH
VARNOST V
BREZŽIČNIH OMREŽJIH
Review of Wireless Security
Kruno Kisiček, CISM
Februar, 2007
Contents:
Introduction - Wireless Landscape (Wireless
technologies, Architectural Models,
Components, Security Framework,..
Comprehensive Review of 802.11(i)
Wireless LAN Security
Review of GSM/UMTS Wireless Security
Review of WiMAX Wireless Security
Summary
Background: Wireless Landscape
Low Cost &
Complexity
High-Speed Connectivity
&
Hierarchy of Networks
Personal Area
Network
Local Area Networks
(e.g. 802.11)
Fixed Broadband Wireless (e.g.802.16)
Cellular Mobile Networks (e.g. GPRS,3G)
High Cost
&
Complexity
Satellite
Global Area Network
Increasing Coverage Area
Background: Wireless Technologies
WAN
(Wide Area Network)
MAN
(Metropolitan Area Network)
LAN
(Local Area Network)
PAN
(Personal Area
Network)
PAN
LAN
MAN
WAN
Bluetooth, UWB
802.11
HiperLAN2
802.16
MMDS, LMDS
GSM, GPRS,
CDMA, 2.5-3G, HSDPA
802.16e
Speed
< 1Mbps
11 to 54 Mbps
11 to 100+ Mbps
10 Kbps – 100+Mbps
Range
Short
Medium
Medium-Long
Long
Peer-to-Peer
Device-to-Device
Enterprise networks
T1 replacement, last
mile access
PDAs, Mobile Phones,
cellular access
Standards
Applications
Comparing Technologies
802.11
WiFi
802.16
WiMAX
802.20
Mobile-FI
UMTS
3G
Bandwidth
11-54 Mbps shared
Share up to 70 Mbps
Up to 1.5 Mbps each
384 Kbps – 2 Mbps
Range (LOS)
Range (NLOS)
100 meters
30 meters
30 – 50 km
2 - 5 km (’07)
3 – 8 km
Coverage is overlaid
on wireless
infrastructure
Mobility
Portable
Fixed (Mobile - 16e)
Full mobility
Full mobility
Frequency/
Spectrum
2.4 GHz for 802.11b/g
5.2 GHz for 802.11a
2-11 GHz for 802.16a
11-60 GHz for 802.16
<3.5 GHz
Existing wireless
spectrum
Licensing
Unlicensed
Both
Licensed
Licensed
Standardization
802.11a, b and g
standardized
802.16, 802.16a and 802.16
REVd standardized, other
under development
802.20 in
development
Part of GSM standard
Availability
In market today
In market today
Standards coming
Product late ’06 (???)
Widely
Potential Services
802.11
WiFi
802.16
WiMAX
802.20
Mobile-FI
UMTS
3G
VoIP
Limited, QoS
concerns
Limited, QoS
concerns
Limited, QoS
concerns
Yes
Video
Yes, in home
Possible, QoS
concerns
No
Possible, via
HSDPA
Data/Internet
Yes
Yes
Yes
Yes
WLAN
Yes, small scale
Yes, large scale
No
No
Security
WEP &
802.11i
Developing WEP
None (today)
A3/A5/A8/..
QoS
802.11e
802.16b
None (today)
Limited
IEEE 802.11 Standards
- Wireless Fidelity (Wi-Fi)
802.11n
Release Date
January 2007 (Linksys)
Op. Frequency
2.4 GHz or 5 GHz
Data Rate (Typ)
200 Mbit/s
Data Rate (Max)
540 Mbit/s
Range (Indoor)
~50 meters (~165 ft)
IEEE 802.11 Network Components
IEEE 802.11 has two fundamental architectural
components, as follows:
+ Station (STA). A STA is a wireless endpoint device.
Typical examples of STAs are laptop computers,
personal digital assistants (PDA), mobile phones, and
other consumer electronic devices with IEEE 802.11
capabilities.
+ Access Point (AP). An AP logically connects STAs
with a distribution system (DS), which is typically an
organization’s wired infrastructure. APs can also
logically connect wireless STAs with each other without
accessing a distribution system.
IEEE 802.11 Architectural Models
Overview of IEEE 802.11 Security
The most common security objectives for WLANs are
as follows:
Confidentiality—ensure that communication cannot
be read by unauthorized parties
Integrity—detect any intentional or unintentional
changes to data that occur in transit
Availability—ensure that devices and individuals can
access a network and its resources whenever needed
Access Control—restrict the rights of devices or
individuals to access a network or resources within a
network.
Major Threats against LAN Security
Taxonomy for Pre-RSN and RSN
Security
802.11 Station Authentication
1. Client broadcasts a probe request frame on every channel
2. Access points within range respond with a probe response frame
3. The client decides which access point (AP) is the best for access and
sends an authentication request
4. The access point will send an authentication reply
5. Upon successful authentication, the client will send an association
request frame to the access point
6. The access point will reply with an association response
7. The client is now able to pass traffic to the access point
Probe Request Frame
Access Control and Authentication
The original IEEE 802.11 specification defines
two means to validate the identities of
wireless devices attempting to gain access to
a WLAN:
open system authentication and
shared key authentication.
Open system authentication
Open system authentication is effectively a null authentication
mechanism that does not provide true identity verification. In
practice, a STA is authenticated to an AP simply by providing the
following information:
Service Set Identifier (SSID) for the AP. The SSID is a name
assigned to a WLAN; it allows STAs to distinguish one WLAN
from another. SSIDs are broadcast in plaintext in wireless
communications, so an eavesdropper can easily learn the SSID
for a WLAN.
Media Access Control (MAC) address for the STA. Many
implementations of IEEE 802.11 allow administrators to specify
a list of authorized MAC addresses; the AP will permit devices
with those MAC addresses only to use the WLAN. This is
known as MAC address filtering. Unfortunately, almost all
WLAN adapters allow applications to set the MAC address, so it
is relatively trivial to spoof a MAC address, meaning attackers
can gain unauthorized access easily.
Open Authentication with Differing
WEP Keys
Shared key authentication
As the name implies, shared key authentication is based on a secret
cryptographic key known as a Wired Equivalent Privacy (WEP) key;
this key is shared by legitimate STAs and APs.
Shared key authentication
Shared key authentication is still weak because
AP is not authenticated to the STA, so there is no
assurance that the STA is communicating with a
legitimate AP
Challenge-response process can be compromised by
methods such as man-in-the-middle attacks and offline brute force or dictionary attacks.
All devices on a WLAN use the same WEP key or the
same small set of keys
Does not specify any support for key management.
Encryption
The WEP protocol, part of the IEEE 802.11 standard,
uses the RC4 stream cipher algorithm to encrypt
wireless communications, which protects their
contents from disclosure to eavesdroppers.
The standard for WEP specifies support for a 40-bit
WEP key only; however, many vendors offer nonstandard extensions to WEP that support key lengths
of up to 104 bits.
WEP also uses a 24-bit value known as an
initialization vector (IV) as a seed value for initializing
the cryptographic key stream. For example, a 104-bit
WEP key with a 24-bit IV becomes a 128-bit RC4
key.
WEP Encryption and Its
Weaknesses
With ECB (Electronic Code Book) mode encryption, the same plain-text
input always generates the same cipher-text output.
There are two encryption techniques to overcome this issue:
• Initialization vectors
• Feedback modes
An initialization vector (IV) is used to alter the key stream. The IV is a
numeric value that is concatenated to the base key before the key
stream is generated. Every time the IV changes, so does the key
stream.
Feedback modes are generally used with block ciphers, and the most
common feedback mode is known as cipher block chaining (CBC)
mode.
WEP Privacy Using RC4 Algorithm
Encryption
Most attacks against WEP encryption have been
based on IV-related vulnerabilities. For example, the
IV portion of the RC4 key is sent in cleartext, which
allows an eavesdropper that monitors and analyzes a
relatively small amount of network traffic to recover
the key by taking advantage of the IV value
knowledge, the relatively small 24-bit IV key space,
and a weakness in the way WEP implements the
RC4 algorithm.
Vulnerability of Shared Key
Authentication
Initialization Vector Replay Attacks
1.
2.
3.
4.
A known plain-text message is sent to an observable wireless LAN client (an e-mail
message)
The network attacker will sniff the wireless LAN looking for the predicted cipher text
The network attacker will find the known frame and derive the key stream
The network attacker can “grow” the key stream using the same IV/WEP key pair as the
observed frame
This attack is based on the knowledge that the IV and base WEP key can be reused or
replayed repeatedly to generate a key stream large enough to subvert the network.
Initialization Vector Replay Attacks
1.
2.
3.
4.
5.
The network attacker can build a frame one byte larger than the known key stream
size; an Internet Control Message Protocol (ICMP) echo frame is ideal because the
access point solicits a response
The network attacker then augments the key stream by one byte
The additional byte is guessed because only 256 possible values are possible
When the network attacker guesses the correct value, the expected response is
received: in this example, the ICMP echo reply message
The process is repeated until the desired key stream length is obtained
Bit-Flipping Attack
Bit-Flipping Attack
CBC Mode Block Cipher
VPN WLAN Design
WEP Cracking Tools
• Airsnort (airsnort.schmoo.com)
• WepAttack (wepattack.sourcefourge.net)
• WEPCrack
(sourceforge.net/projects/wepcrack)
• Weplab (sourceforge.net/projects/weplab)
• Aircrack (www.aircrack-ng.org)
Typical Security Incidents
Unauthorized association and snooping
Access Point Intrusion
Intrusion attempts (WLAN and Wired Network)
Loss of confidential data
Data Capture and Replay Attacks
Bandwidth Theft
Unauthorized Rogue Access Points
Wireless clients associate with wrong access point
(Fake Access Points)
Step 1 – Security Policy Review
Wireless LAN treated as ‘external’ network
Approval for wireless infrastructure and
clients
Security Architecture and Design Review
Access Point Configuration Standards
Authentication and Encryption Baseline
Logging, Monitoring, Intrusion Detection
Wireless Vulnerability Assessment
Step 2 – Architecture Assessment
Security Architecture and Design
Network segmentation control (firewall)
Secure configuration of Access Points
VPN (IPsec or SSL)
Authentication of wireless clients
Encryption of wireless traffic
Logging, and monitoring wireless security
logs
Step 3 – Risk Assessment
Document Wireless Architecture,
Components,Security Configuration
Threat Assessment
Vulnerability Assessment
Controls Assessment
Assess Risk
Control Recommendations
Vulnerability Assessment
Wireless Assessment Toolkit
Linux-based toolkits
Knoppix (knoppix.net)
Nmap; Nessus (testing from wired LAN)
Tools
Network Discovery
WEP/WPA Cracking Tools
Packet Capture Tools
Known exploit code
Network Discovery
Laptop / PDA
Wireless network card
Network Discovery
Tools:
Kismet
NetStumbler
Ministumbler
Antenna
GPS Unit
Rogue Access Point
detection
Tools / Solutions
Airmagnet (www.airmagnet.com)
Retina WiFi Scanner (www.eeye.com)
Kismet (www.kismetwireless.net)
Pocketwarrior (www.pocketwarrior.org)
WiFiFoFum (www.aspecto-software.com)
Step 4 – AP Configuration Review
Access Point Configuration
telnet, http, snmp
default authentication
SSID Configuration
Authentication & Encryption Setup
Logging Enabled
Step 5 – Authentication &
Encryption
WPA
Subset of 802.11i
Confidentiality:TKIP
Authentication - Per-user or Pre-shared key
Integrity Mechanisms
802.11i (WPA2)
Addresses the main problems of WEP and Shared-Key Authentication
Temporal Key Integrity Protocol (TKIP)
Message Integrity Control ~ Michael
AES Encryption replacement for RC4
802.1x
Framework to control port access between devices, AP, and servers
Not specific to 802.11 networks
Uses dynamic keys instead of the WEP authentication static key
Wi-Fi Alliance Certification
Programs
The Wi-Fi Alliance began conducting interoperability
testing in April 2000 and has since awarded its Wi-Fi
CERTIFIED label to over 2,500 WLAN products.
Product categories include access points and a wide
variety of clients.
Three basic types of certifications: radio standards,
network security, and multimedia content support.
The Wi-Fi Alliance also manages a licensing program
for Wi-Fi providers called Wi-Fi Zone. Organizations
participating in the program agree to use Wi-Fi
CERTIFIEDTM products only and adhere to certain
service standards.
Wi-Fi Alliance
The Wi-Fi Alliance introduced WPA in early 2003 to address
serious vulnerabilities inherent in WEP, which was the only
available IEEE 802.11 security protection at that time. WPA is
essentially a subset of IEEE 802.11i that provides a solution to
WEP’s major problems. To accomplish this protection, WPA
leverages the following core security features from IEEE
802.11i:
IEEE 802.1X and EAP authentication
Key generation and distribution based on the IEEE 802.11i
4-Way Handshake
TKIP mechanisms including
Encapsulation and decapsulation
Replay protection
Michael MIC integrity protection.
Brief Overview of IEEE 802.11i
Security
IEEE 802.11i references the Extensible
Authentication Protocol (EAP) standard, which is a
means for providing mutual authentication between
STAs and the WLAN infrastructure, as well as
performing automatic cryptographic key distribution.
IEEE 802.11i also uses some techniques derived
from the Internet Protocol Security (IPsec) standard,
such as generating cryptographic checksums through
hash message authentication codes (HMAC).
802.1X Layers
EAP – SIM
GSM SIM
Authentication
802.1X Ports
802.1X requires three entities:
The supplicant–—Resides on the wireless LAN client
The authenticator–—Resides on the access point
The authentication server—Resides on the RADIUS server
IEEE 802.1X defines IEEE 802 encapsulation of EAP messages
EAP over LAN (EAPOL) messages
802.1X and EAP Message Flow
EAP
EAP supports a wide variety of authentication
methods (rfc3748), also called EAP methods.
These methods include authentication based
on passwords, certificates, smart cards, and
tokens.
EAP methods can also include combinations
of authentication techniques, such as a
certificate followed by a password, or the
option of using either a smart card or a token.
EAP methods
The current WPA/WPA2 certified EAP
methods are:
EAP-TLS (originally certified protocol)
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC
EAP-SIM
Pairwise Key Hierarchy
Summary of Data Confidentiality
and Integrity Protocols
The EAP Cisco Authentication
Algorithm
Mutual Authentication
User-Based Authentication
Dynamic WEP Keys
Data Privacy with TKIP
A message integrity check (MIC) function on all WEPencrypted data frames
Initialization vector/base key reuse—The MIC adds
a sequence number field to the wireless frame. The
access point will drop frames received out of order.
Frame tampering/bit flipping—The MIC feature
adds a MIC field to the wireless frame. The MIC field
provides a frame integrity check not vulnerable to the
same mathematical shortcomings as the ICV.
Per-packet keying on all WEP-encrypted data frames
Per-packet keying
Cisco LEAP - password-based algorithm.
EAP-TLS Authentication Process
EAP Transport Layer Security
TLS comprises three protocols:
Handshake protocol—The handshake protocol
negotiates the parameters for the SSL session. The
SSL client and server negotiate the protocol version,
encryption algorithms, authenticate each another,
and derive encryption keys.
Record protocol—The record protocol facilitates
encrypted exchanges between the SSL client and the
server. The negotiated encryption scheme and
encryption keys are used to provide a secure tunnel
for application data between the SSL endpoints.
Alert protocol—The alert protocol is the mechanism
used to notify the SSL client or server of errors as
well as session termination.
Protected EAP
Protected EAP (PEAP), is EAP authentication type that is
designed to allow hybrid authentication.
PEAP employs server-side PKI authentication. For client-side
authentication, PEAP can use any other EAP authentication
type.
Because PEAP establishes a secure tunnel via server-side
authentication, non-mutually authenticating EAP types can be
used for client-side authentication, such as EAP generic token
card (GTC) for one-time passwords (OTP), and EAP MD5 for
password based authentication.
PEAP is based on server-side EAP-TLS, and it addresses the
manageability and scalability shortcomings of EAP-TLS.
Organizations can avoid the issues associated with installing
digital certificates on every client machine as required by EAPTLS and select the method of client authentication that best
suits them.
Protected EAP
EAP SIM Architecture
EAP SIM authentication is based on the authentication and
encryption algorithms stored on the Global System for Mobile
Communications (GSM) SIM, which is a Smartcard designed
according to the specific requirements detailed in the GSM
standards.
GSM authentication is based on a challenge-response mechanism
and employs a shared secret key, Ki, which is stored on the SIM and
otherwise known only to the GSM operator’s Authentication Center
(AuC).
When a GSM SIM is given a 128-bit random number (RAND) as a
challenge, it calculates a 32-bit response (SRES) and a 64-bit
encryption key (Kc) using an operator-specific confidential algorithm.
In GSM systems, Kc is used to encrypt mobile phone conversations
over the air interface.
EAP SIM Authentication
UMTS system architecture (R99)
UMTS and GSM
Security objectives
Problems with GSM Security
Weak authentication and encryption algorithms (COMP128
has a weakness allowing user impersonation; A5 can be
broken to revealthe cipher key)
Short key length (32 bits)
No data integrity (allows certain denial of service attacks)
No network authentication (false base station attack
possible)
Limited encryption scope (Encryption terminated at the
base station, in clear on microwave links)
Insecure key transmission (Cipher keys and authentication
parameters are transmitted in clear between and within
networks)
3G Security Features
Mutual Authentication
The mobile user and the serving network authenticate each other
Data Integrity
Signaling messages between the mobile station and RNC protected
by integrity code
Network to Network Security
Secure communication between serving networks. IPsec suggested
Wider Security Scope
Security is based within the RNC rather than the base station
Secure IMSI (International Mobile Subscriber Identity) Usage
The user is assigned a temporary IMSI by the serving network
3G Security Features
User –Mobile Station Authentication
The user and the mobile station share a secret key, PIN
Secure Services
Protect against misuse of services provided by the home
network and the serving network
Secure Applications
Provide security for applications resident on mobile station
Fraud Detection
Mechanisms to combating fraud in roaming situations
Flexibility
Security features can be extended and enhanced as
required by new threats and services
3G Security Features
Visibility and Configurability
Users are notified whether security is on and what level of
security is available
Multiple Cipher and Integrity Algorithms
The user and the network negotiate and agree on chipher
and integrity algorithms. At least one encryption algorithm
exported on world-wide basis (KASUMI)
Lawful Interception
Mechanisms to provide authorized agencies with certain
information about subscribers
GSM Compatibility
GSM subscribers roaming in 3G network are supported by
GSM security context (vulnerable to false base station)
Authentication and Key Agreement
Encryption
Signaling and user data protected from eavesdropping. Secret key,
block cipher algorithm (KASUMI) uses 128 bit cipher key.
At the mobile station and RNC (radio network controller)
Integrity Check
Integrity and authentication of origin of signalling data provided. The
integrity algorithm (KASUMI) uses 128 bit key and generates 64 bit
message authentication code.
At the mobile station and RNC (radio network controller)
WiMAX Overview
Complement the existing last mile
wired networks (i.e. xDSL, cable
modem)
Fast deployment, cost saving
High speed data, voice and video
services
Fixed BWA, Mobile BWA
WiMAX Applications
3
2
FRACTIONAL E1 for
SMALL BUSINESS BACKHAUL for
HOTSPOTS
T1+ LEVEL SERVICE
ENTERPRISE
1
Mobile
Backhaul
RESIDENTIAL & SoHo
DSL LEVEL SERVICE
802.16d
802.16d
802.16e
5
INTERNET
BACKBONE
BWA Operator Network
Backbone
Mobility
4
WMAN Nomadic Coverage -->
handoff from HOT SPOTS
H
H
H
H
H
H
H
H
H
= wide area coverage
outside of Hot Spots
Benefits of WiMAX
●
Speed
●
Wireless
●
Faster than broadband service
Not having to lay cables reduces cost
Easier to extend to suburban and rural areas
Broad coverage
Much wider coverage than WiFi hotspots
Security Issues
Provides subscribers with privacy across the fixed broadband wireless
network
Protect against unauthorized access to the data transport services
Encrypt the associated service flows across the network.
Implemented by encrypting connections between SS and BS
Security mechanisms
Authentication
Access control
Message encryption
Message modification detection (Integrity)
Message replay protection
Key management
Key generation, key transport, key protection, Key derivation, Key
usage
Security Association
Data SA
Authorization SA
16-bit SA identifier
Cipher to protect data:
DES-CBC
2 TEK
TEK key identifier (2-bit)
TEK lifetime
64-bit IV
X.509 certificate SS
160-bit authorization key (AK)
4-bit AK identification tag
Lifetime of AK
KEK for distribution of TEK
= Truncate-128(SHA1(((AK| 044)
xor 5364)
Downlink HMAC key
= SHA1((AK|044) xor 3A64)
Uplink HMAC key
= SHA1((AK|044) xor 5C64)
A list of authorized data SAs
IEEE 802.16 Security Process
Authentication
SS →BS: Cert(Manufacturer(SS))
SS →BS: Cert(SS) | Capabilities | SAID
BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList
Key Derivation
KEK = Truncate-128(SHA1(((AK|
044) xor 5364)
Downlink HMAC key = SHA1((AK|044)
xor 3A64)
Uplink HMAC key = SHA1((AK|044)
xor 5C64)
Data Key Exchange
Data Key Exchange
Traffic Encryption Key (TEK)
TEK is generated by BS randomly
TEK is encrypted with
Triple-DES (use 128 bits KEK)
RSA (use SS’s public key)
AES (use 128 bits KEK)
Key Exchange message is authenticated by HMAC-
SHA1 – (provides Message Integrity and AK
confirmation)
Data Encryption
Data Encryption
Encrypt only data message not management message
DES in CBC Mode
56 bit DES key (TEK)
No Message Integrity Detection
No Replay Protection
Key Management
Message 1:
BS →SS: SeqNo | SAID | HMAC(1)
Message 2:
SS →BS: SeqNo | SAID | HMAC(2)
Message 3:
BS →SS: SeqNo | SAID | OldTEK |NewTEK | HMAC(3)
M1: to rekey a data SA, or create a new SA
TEK: encrypted with Triple-DES-ECB
IEEE 802.16 Security Flaws
Lack of Explicit Definitions
Authorization SA not explicitly defined
SA instances not distinguished: open to replay attacks
Solution: Need to add nonces from BS and SS to the authorization
SA
Data SA treats 2-bit key as circular buffer
Attacker can interject reused TEKs
SAID: 2 bits at least 12 bits (AK lasts 70 days while TEK lasts for 30
minutes)
TEKs need expiration due to DES-CBC mode
Determine the period: 802.16 can safely produce 2^32 64-bit blocks only.
IEEE 802.16 Security Flaws
Need for mutual authentication
Authentication is one way
BS authenticates SS
No way for SS to authenticate BS
Rouge BS possible because all information's are public
Possible enhancement : BS certificate
SSBS : Cert (Manufacturer)
SSBS : SS-Rand | Cert(SS) | Capabilities | SAID
BSSS : BS-Rand | SS-Rand | E(Pub(SS),AK)| Lifetime | Seq No | SAID | Cert
(BS) | Sig (BS)
IEEE 802.16 Security Flaws
Authentication Key (AK) generation
BS generates AK
No contribution from SS
SS must trust BS for the generation of AK
AK = HMAC-SHA1(contribution from SS+ contribution from BS)
AK = HMAC-SHA1(pre-AK, SS-Random | BS-Random | SSMAC-Addr | BS-MAC-Addr | 160)
IEEE 802.16 Security Flaws
Key management
TEK sequence space (2-bit sequence #)
Replay attack can force reuse of TEK/IV
Increase it to 12-bit
No specification on the generation of TEK and therefore TEKs are random
No TEK freshness assurance
Message 1:
BS → SS: SS-Random | BS-Random | SeqNo12 | SAID | HMAC(1)]
Message 2:
SS → BS: SS-Random | BS-Random | SeqNo12 | SAID | HMAC(2)
Message 3:
BS →SS: SS-Random | BS-Random | SeqNo12 | SAID | OldTEK | NewTEK | HMAC(3)
Not transmit TEK, generate TEK:
TEK = HMAC-SHA1(pre-TEK, SS-Random | BS-Random | SS-MAC-Addr | BS-MAC-Addr |
SeqNo12 | 160)
SS-Random | BS-Random is used as an instance identifier
IEEE 802.16 Security Flaws
Alternative Cryptographic Suite
IEEE 802.16 used DES-CBC
DES uses 64 bit block size
According to studies a CBC mode using block cipher with n-bit
block loses its security after operating on 2^n/2 blocks with the
same encryption key.
So IEEE 802.16 can safely produce 2^32 64-bit blocks.
Also IV used in DES-CBC are predictable.
Use AES-CCM as encryption primitive
128 bit key (TEK)
HMAC-SHA1
Replay Protection using Packet Number
IEEE 802.16 Security Flaws
Data protection errors
56-bit DES… does not offer strong data confidentiality
Forgeries or replies (WEP-like vulnerability)
Writes are not prevented, read-protects only
even w/o encryption key
Uses a PREDICTABLE initialization vector (while DES-CBC
requires a random IV)
IV is the xor of the IV in SA and the PHY synchronization field from
the most recent GMH
Generates each per-frame IV randomly and inserts into the
payload.
Though increases overhead, no other choice.
IEEE 802.16 Security Flaws
No data Authentication
Encryption only prevents reading but any one without
key can write (change the message).
Strong MAC needs to be included in the message
References
Wireless Security Reference Site
www.wardrive.net
Wireless Security Policies
www.sans.org/resources/policies
NIST Wireless Network Security (includes wireless
security checklist)
csrc.nist.gov/publications/drafts/draft-sp800-97.pdf
Wireless Security Checklists
www.cisecurity.org
www.sans.org/score/