Transcript Security in Wireless Networks: using PHY resources to do better

September 2008
doc.: IEEE 802.11-08/0973r0
Security in Wireless Networks: using PHY
resources to do better
Date: 2008-09-08
Authors:
Name
Affiliations
Address
Phone
email
Alex Reznik
InterDigital
Communications, LLC
781 Third Avenue
King of Prussia, PA 19406
+1 610.878.5784
alex.reznik@InterDig
Joseph Levy
InterDigital
Communications, LLC
2 Huntington Quadrangle
4th Floor, South Wing
Melville, NY 11747
+1 631.622.4139
joseph.levy@InterDig
Submission
Slide 1
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Abstract
Current 802.11 security provides excellent data security,
however the network itself is currently vulnerable to
physical layer threats which can jeopardize network
availability and reliability. These vulnerabilities limit
the usefulness and reliability of 802.11 and excluded
802.11 from several markets which require higher
levels of physical security. The authors wish to start a
dialogue on the need for physical layer security leading
to an understanding of the potential for physical layer
security solutions.
Submission
Slide 2
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
WLANs today
• Usage
– Most WLANs are used
as a data network
– Provide access (via IP)
to a broadband
network
The
NET
• Security
requirements
– Secure transmitted data
– Limit access to
network owner via preshared keys
Submission
Slide 3
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
WLANs in the Emerging World
•
Automatio
n
WLAN
Usage
– Data (IP) access to a broadband network
– Streaming applications over IP (e.g.
VoIP, Video)
– Interactive local application (distributed
gaming)
– Localized Mesh network with limited/no
extra-net access
– Machine-to-Machine communication
•
•
•
The NET
•
Security requirements
– Secure transmitted data
– Access control based on
•
•
–
–
Local
WLAN
Submission
–
–
Slide 4
Home and Small Enterprise Automation
SensorNet-to-DataNet interaction
Distributed Computation
Pre-shared keys (e.g. WPA)
ID (user and device) based access
Enforce network usage policies
Mesh security without a third-party
certificate authority
Ensure network availability
Location-based requirements
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Current WLAN Security: Up to the Coming Challenges?
•
Design dominated by a data-centric network philosophy
–
Data is key. We need to be able to
•
•
–
–
–
The NETWORK is just there to move the data
Result: protect data first, and maybe the network later – and only a little bit
Wireless access viewed as a derivative of a wired network
•
•
Secure it against eavesdropping
Control and restrict access to it
Access component is just another plug-in
Why go beyond this paradigm?
–
Wireless networks are vulnerable in ways that wired networks are not
•
•
•
•
–
In the emerging WLAN world these vulnerabilities will matter
•
•
–
Public networks for residential and business application are becoming for widespread
Device authentication is increasingly desirable to maintain viability of such networks
Medium access control may become critical to maintaining critical services over wireless networks
As an example, see, e.g. 802.1AE and related activities (802.1AF, 802.1AR, 8021X-2004-REV)
Wireless LAN has not addressed these issues as of yet, to our knowledge
•
Submission
Data communication with “The NET” is just one of the things the network does
Attacks targeting availability, access control, location, etc. become much more disruptive
These vulnerabilities are becoming a concern (even in wired networks)
•
•
•
•
–
Network violation does not require physical access
There are multiple ways in which a wireless network can be prevented from operating (jammed/spoofed)
Information is of a broadcast nature and extends beyond physical boundaries
Authentication is not secure (spoofing is possible at the MAC/PHY level)
But the network/medium are significantly more vulnerable
Slide 5
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Moving Forward On Security
•
Currently existing security components provide:
–
•
End-to-end data protection
Limited or non-existing WLAN security
components:
–
Device/host identity capability
–
•
–
Trust.
SW
Device security
•
Combined with trusted computing concepts
Location privacy assurance techniques
Local network security
•
•
•
Higher-Layer Protocols
Protect availability/access/usage of the physical medium
Enable location-based policies
These impact all layers of the architecture
–
–
–
–
–
Commonly used higher-layer protocols need to be
enhanced with existing and new ones (e.g. IETF’s HIP,
PBS, etc.)
Security Manager is needed for integration of higherlayer security policies and requirements with
transmission medium capabilities
MAC support is required to make existing protocols
attack-proof (e.g. CSMA), provide support for higher
layer protocols (e.g. PBS, 802.1X-type authentication, •
etc.) and interface with PHY
PHY is required to monitor the medium, implement
protocols as required by MAC
At all levels, services provided by secure platforms
(e.g. via TPM) may be required
Submission
Slide 6
P
L
A
T
F
O
R
M
TPM
TLS
Location
IPSec
802.1X
HIP
PBS
WLAN
Security Manager
Data
Path
MAC Security Protocols
WLAN MAC
Dev
ID
Data
Path
Trust.
SW
PHY Security Support
WLAN PHY
In this talk
–
–
Concentrate on protection/access/usage of
the physical medium
This is directly in scope for 802.11: as it
inherently relies on PHY and MAC
mechanisms
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
High-Level Threat Analysis for 802.11
Security
Attribute
Authentication
Authorization
Confidentiality
Integrity
Availability
Non
Repudiation
Threat
Traffic Analysis
■
Passive
Eavesdropping
■
Active
Eavesdropping
■
■
■
Man in the middle
■
■
■
Session
high-jacking
■
■
■
Replay
■
■
■
Unauthorized
Access
■
■
■
Denial of
Service
■
False Identity
■
■
■
■
■
■
■
Addressed by
802.11i
802.11i +w
x
x
√
√
√
√
√
√
√
√
√
√
x
x
x
x
x
x
■
■
■
■
■
■
■
■
■
■
■
■
■
■
These vulnerabilities are broad when viewed from a network perspective and are
subject to a broad number of different attacks. These are identified (and in part
addressed by 802.1), but not by 802.11
Submission
Slide 7
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Attacks defined by 802.1AE are possible in WLAN
802.1AE vulnerabilities
WLAN vulnerabilities
WLAN Threats
Inability to issue service requests
Broadcast nature of the medium
Passive Eavesdropping
Indiscriminate loss of service indicators
Unauthenticated transmission medium
Active Eavesdropping
Specifically targeted loss of service indicator
Unimpeded access to the medium
Man-in-the-middle
Repeated service indications at the intended
destinations
Transmission of packets by illegitimate
terminals
Session Highjacking
Service indications with modified address or
data parameters
Transmission of rogue packets by legitimate
terminals
Replay
Additional modified service indications
Smart jamming to disrupt packet delviery
DoS
Service indications at unintended recipients
Smart jamming to disrupt network operation
False MAC Identity
Delayed service indications that can
disrupt network operations
Targeted jamming of a specific terminal
Traffic Analysis
Disclosure of MSDU (payload) to
unintended recipients
Unecrypted transmission medium
Unauthorized Access
Information disclosure through location
tracking
Sec. 6.6 of 802.1AE
Improper transmission parameters (e.g.
power too high) affecting network operation
Physical Layer Security can mitigate
these threats
Submission
Slide 8
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Example Attack 1: A Low-Power Jammer
•
Simple MAC jamming attack using low-power
–
–
–
Attacking terminal reverses the CSMA process – transmits whenever it detects energy on the channel
Legitimate terminals forced into even increasing back-off
Average power required for the attack is low
•
•
•
Initial power consumption is relative high
After a fairly short period, most terminals are in a long back-off state
The CSMA protocol assists in the attack
802.1AE vulnerabilities
WLAN vulnerabilities
WLAN Threats
Inability to issue service requests
Broadcast nature of the medium
Passive Eavesdropping
Indiscriminate loss of service indicators
Unauthenticated transmission medium
Active Eavesdropping
Specifically targeted loss of service indicator
Unimpeded access to the medium
Man-in-the-middle
Repeated service indications at the intended
destinations
Transmission of packets by illegitimate
terminals
Session Highjacking
Service indications with modified address or
data parameters
Transmission of rogue packets by legitimate
terminals
Replay
Additional modified service indications
Smart jamming to disrupt packet delviery
DoS
Service indications at unintended recipients
Smart jamming to disrupt network operation
False MAC Identity
Delayed service indications that can
disrupt network operations
Targeted jamming of a specific terminal
Traffic Analysis
Disclosure of MSDU (payload) to
unintended recipients
Unecrypted transmission medium
Unauthorized Access
Information disclosure through location
tracking
Improper transmission parameters (e.g.
power too high) affecting network operation
Submission
Slide 9
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Example Attack 2: Sybil Attack
•
A terminal uses multiple MAC addresses:
– Increases its share of bandwidth utilization
– Attempts a service specific DoS (e.g. multiple authentication/association
requests)
802.1AE vulnerabilities
WLAN vulnerabilities
WLAN Threats
Inability to issue service requests
Broadcast nature of the medium
Passive Eavesdropping
Indiscriminate loss of service indicators
Unauthenticated transmission medium
Active Eavesdropping
Specifically targeted loss of service indicator
Unimpeded access to the medium
Man-in-the-middle
Repeated service indications at the intended
destinations
Transmission of packets by illegitimate
terminals
Session Highjacking
Service indications with modified address or
data parameters
Transmission of rogue packets by legitimate
terminals
Replay
Additional modified service indications
Smart jamming to disrupt packet delviery
DoS
Service indications at unintended recipients
Smart jamming to disrupt network operation
False MAC Identity
Delayed service indications that can
disrupt network operations
Targeted jamming of a specific terminal
Traffic Analysis
Disclosure of MSDU (payload) to
unintended recipients
Unecrypted transmission medium
Unauthorized Access
Information disclosure through location
tracking
Improper transmission parameters (e.g.
power too high) affecting network operation
Submission
Slide 10
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Further Vulnerabilities: Diving into the MAC
• 802.1AE is concerned with services provided by the MAC
– This misses certain vulnerabilities of the MAC itself
– The complex relationship between 802.1X and 802.1AE/802.11i exposes
802.1X to potential attacks as well
• Examples of 802.1X vulnerabilities
– [as noted in Example 2] Sybil attack can be used to target
association/authentication DoS
– Authentication/Encryption “chicken and egg” problem
• 802.1X relies on 802.1AE/802.11i for a secure channel
• 802.1AE (through 802.1AF) and 802.11i rely on 802.1x for key generation to
secure the channel
• This results in a vulnerability – the initial authentication exchange is unprotected
– e.g. Class 1 and Class 2 management frames are not protected by 802.11w
• The mesh problem
– End-to-end MAC services transition from a single wireless hop to multiple
hops
– Vulnerabilities associated with link (in)security become more problematic
for the network
– e.g. current 802.11s draft requires connection to a AAA server for peer-topeer security in a mesh
Submission
Slide 11
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Addressing the threats in a wireless setting
• Challenges:
– Confidentiality/authentication techniques cannot address DoS attacks
aimed at the network itself
• 802.1AE techniques need to be examined, but are insufficient in a wireless
context
– Smart Jamming can masquerade as generic interference
• Not addressed by 802.1AE as the problem is absent in wired systems
– Terminal location is a priori uncertain
• No connection to a port that signals can be traced back to
– Alternate “secure key source” for confidentiality/authentication of pre802.11i messages is desirable
• 802.1AE calls for cipher suites which, in principle, do not need to rely on
802.1X
• None have been proposed to date
• A potential approach for wireless systems
–
–
–
–
Submission
Use the richness of the wireless access medium
Enhance PHY/MAC based security tied to the wireless medium
Enhance existing security mechanism
This is commonly called “PHY Layer Security”
Slide 12
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
PHY-Layer Security
• “PHY-Layer” security is:
– Techniques that exploit the physical properties of the wireless channel
– Typically implemented in the PHY and the MAC
– Complementary to other modern techniques for securing wireless nets
• PHY-Layer Security uses the physical link as a non-repudiable,
shared, secret resource to:
– Provide always-on, link-specific message stream authentication
– Classify interference appropriately (malicious/benign) and apply appropriate
counter-measures
– Distinguish between co-located and distinctly located terminals
– Derive and update secret keys based on link properties and without the need to
use (and expose) authentication credentials
• PHY-Layer Security further uses link and terminal capabilities to:
– Null out an identified rogue terminal
– Switch away from channels under attack
– Proactively hop channels to confuse attacker
• We use our example attacks to demonstrate what may be done
Submission
Slide 13
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Example Attack 1: A Low-Power Jammer
•
Recalling the attack:
–
–
–
Attacking terminal reverses the CSMA process – transmits whenever it detects energy on the
channel
Legitimate terminals forced into even increasing back-off
Average power required for the attack is low
•
•
•
•
Initial power consumption is relative high
After a fairly short period, most terminals are in a long back-off state
The CSMA protocol assists in the attack
Countermeasures
–
Detection:
•
•
•
–
Continual power measurement during channel clear state and burst reception reveal that burst should be
successfully received
When this is violated sufficiently often (i.e. we observe statistically “impossible” collision pattern), an attack
is likely
If MIMO is present, direction of interference may be estimated and further found to be non-random
Mitigation:
•
•
•
•
Alert security policy manager to abnormal condition, its nature, and (if possible) approximate
localization
Switch channels. If possible establish a dynamic channel hopping policy.
Change the back-off protocol to eliminate increasing the expected back-off time. This will make the attack
costly (in terms of energy) and may drain the battery of a true low-power attacker
If MIMO present, null away interference source.
Inability to issue service requests
Submission
Smart jamming to disrupt network operation
Slide 14
DoS
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Example Attack 2: Sybil Attack
•
Recalling the attack
– A terminal uses multiple MAC addresses:
– Increases it share of bandwidth utilization
– Attempts a service specific DoS (e.g. multiple authentication/association requests)
•
Countermeasures:
– Detection
• Using channel-based signatures establish the fact that multiple MAC addresses appear to be from
same radio
– Mitigation
• Alert security policy manager to abnormal condition, its nature, and (if possible)
approximate localization
• If required by policy, establish that when treated as an aggregate these do not follow the proper
protocol for a single terminal
• De-associate all MAC addresses with suspect channel signature
• If MIMO present, null away transmission from suspect location
Service indications with modified address or
data parameters
Additional modified service indications
Transmission of rogue packets by legitimate
terminals
False MAC Identity
Delayed service indications that can
disrupt network operations
Submission
Slide 15
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Potential Impact on 802.11 Systems
• Impact on the PHY
– Making available new measurements of the physical medium
– Usually reporting internal quantities that are already available. For
example:
• Channel Impulse Response is computed by any receiver, but currently no
requirement to report exists
• Any radio performs channel measurements, however does not report these,
except as a Channel Clear indicator
• Impact on the MAC
– Post-processing of new measurement
– Identification of alert conditions
– Exposing control of operations currently hardwired, e.g.
• CSMA back-off time computation
• Computation of MIMO pre-coding vector
• Security Policy Manager
– 802.11 defines services provided to this component
– Its implementation is outside the scope of 802.11
Submission
Slide 16
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Summary
•
Future wireless systems will require security beyond what 802.11 can
currently offer
– Integrated approach to security including
• Existing and enhanced data security techniques
• Medium-aware lower-layer techniques
• Integration and leverage of platform security
•
Believe that “PHY” (PHY/MAC) security is appropriate for 802.11
– Directly within the scope of the standard
– Enables mitigation of numerous medium based attacks and vulnerabilities
– Impact to existing HW solutions is minimized as most of the “smarts” are in the
MAC
•
These ideas are ready for prime-time
– The need is coming – now is a good time to start addressing it
– Required core technology is well understood
• Most of the components are the same as those used for data comm.
• These are put together in a novel manner.
Submission
Slide 17
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Straw Poll #1
• Do you believe that future 802.11
systems/applications will require security beyond
what 802.11 currently has?
–
–
–
–
Yes
No
Don’t know need more information
Don’t care
Submission
Slide 18
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Straw Poll #2
• Do you believe that protecting against DOS
attacks requires security beyond what 802.11
currently has?
–
–
–
–
Submission
Yes
No
Don’t know need more information
Don’t care
Slide 19
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Straw Poll #3
• Do you believe that protecting against False
Identity attacks requires security beyond what
802.11 currently has?
–
–
–
–
Submission
Yes
No
Don’t know need more information
Don’t care
Slide 20
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Straw Poll #4
• Should 802.11 start a study group to address
physical layer security?
–
–
–
–
Submission
Yes
No
Don’t know need more information
Don’t care
Slide 21
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
Requesting Feedback from the Group
• Amend measurement/management/control to support enhanced lowlayer security techniques
– Detailed information about the channel
• Processed/sampled channel impulse response (CIR)
• Processed/sampled channel power level (CPL) (sampled CCA output)
• Network/local time synchronization reports …
– Additional PHY/MAC control
• CSMA back-off and transmission time
• Link-consistency check associated with each MAC address …
– Management communication support
•
•
•
•
•
PHY-layer key agreement protocol and utilization
Enhanced message authentication/conformation
CSMA back-off algorithm selection
Coordinated DoS defense strategies
Location proving protocols …
• Basic algorithm/policy set be defined
– 802.11 v. 802.1AE?
– addressing unique challenges/opportunities of wireless
• Key generation
• Location/localization based techniques …
Submission
Slide 22
Alex Reznik, InterDigital
September 2008
doc.: IEEE 802.11-08/0973r0
References
•
R. Paine, “Next Generation Security for 802.11,” IEEE 802.11 – 08/0120r1, Jan. 2008
•
P. Kyasanur, N. H. Vaidya, “Detection and Handling of MAC Layer Misbehavior in Wireless Networks,” 2002
•
L. Xiao, et. a.l., “Fingerprints in the Ether: Using the Physical Layer for Wireless Authentication,” Proc. of the
IEEE ICC 2007.
•
A. Mishra, M. Shin, and W. A. Arbaugh, “Your 802.11 network has no clothes,” IEEE Comm. Mag., pp. 44 – 51,
2002.
•
S. Mathur, et. al., “Radio-telepathy: Extracting a Cryptographic Key from an Unauthenticated Wireless
Channel,” to appear, Mobicomm, 2008.
•
L. Buttyan and J. –P. Hubaux, “Security and Cooperation in Wireless Networks,” Cambridge U. Press, 2008.
•
D. L. Lough, “A Taxonomy of Computer Attacks with Applications to Wireless,” Ph.D. Thesis, Virginia
Polytechnic U., 2001.
•
M. Raya et. al. “DOMINO: A system to Detect Greedy Behavior in IEEE 802.11 Hotspots,” MobiSys, 2004.
•
J. Pang et. al., “802.11 User Fingerprinting,” MobiCom 2007.
•
J. Bellardo and S. Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions,”
USENIX Security Symposium, August 2003.
Submission
Slide 23
Alex Reznik, InterDigital