VARNOST V BREZŽIČNIH OMREŽJIH

Download Report

Transcript VARNOST V BREZŽIČNIH OMREŽJIH

VARNOST V
BREZŽIČNIH OMREŽJIH
Review of Wireless Security
Kruno Kisiček, CISM
Februar, 2007
Contents:
 Introduction - Wireless Landscape (Wireless
technologies, Architectural Models,
Components, Security Framework,..
 Comprehensive Review of 802.11(i)
Wireless LAN Security
 Review of GSM/UMTS Wireless Security
 Review of WiMAX Wireless Security
 Summary
Background: Wireless Landscape
Low Cost &
Complexity
High-Speed Connectivity
&
Hierarchy of Networks
Personal Area
Network
Local Area Networks
(e.g. 802.11)
Fixed Broadband Wireless (e.g.802.16)
Cellular Mobile Networks (e.g. GPRS,3G)
High Cost
&
Complexity
Satellite
Global Area Network
Increasing Coverage Area
Background: Wireless Technologies
WAN
(Wide Area Network)
MAN
(Metropolitan Area Network)
LAN
(Local Area Network)
PAN
(Personal Area
Network)
PAN
LAN
MAN
WAN
Bluetooth, UWB
802.11
HiperLAN2
802.16
MMDS, LMDS
GSM, GPRS,
CDMA, 2.5-3G, HSDPA
802.16e
Speed
< 1Mbps
11 to 54 Mbps
11 to 100+ Mbps
10 Kbps – 100+Mbps
Range
Short
Medium
Medium-Long
Long
Peer-to-Peer
Device-to-Device
Enterprise networks
T1 replacement, last
mile access
PDAs, Mobile Phones,
cellular access
Standards
Applications
Comparing Technologies
802.11
WiFi
802.16
WiMAX
802.20
Mobile-FI
UMTS
3G
Bandwidth
11-54 Mbps shared
Share up to 70 Mbps
Up to 1.5 Mbps each
384 Kbps – 2 Mbps
Range (LOS)
Range (NLOS)
100 meters
30 meters
30 – 50 km
2 - 5 km (’07)
3 – 8 km
Coverage is overlaid
on wireless
infrastructure
Mobility
Portable
Fixed (Mobile - 16e)
Full mobility
Full mobility
Frequency/
Spectrum
2.4 GHz for 802.11b/g
5.2 GHz for 802.11a
2-11 GHz for 802.16a
11-60 GHz for 802.16
<3.5 GHz
Existing wireless
spectrum
Licensing
Unlicensed
Both
Licensed
Licensed
Standardization
802.11a, b and g
standardized
802.16, 802.16a and 802.16
REVd standardized, other
under development
802.20 in
development
Part of GSM standard
Availability
In market today
In market today
Standards coming
Product late ’06 (???)
Widely
Potential Services
802.11
WiFi
802.16
WiMAX
802.20
Mobile-FI
UMTS
3G
VoIP
Limited, QoS
concerns
Limited, QoS
concerns
Limited, QoS
concerns
Yes
Video
Yes, in home
Possible, QoS
concerns
No
Possible, via
HSDPA
Data/Internet
Yes
Yes
Yes
Yes
WLAN
Yes, small scale
Yes, large scale
No
No
Security
WEP &
802.11i
Developing WEP
None (today)
A3/A5/A8/..
QoS
802.11e
802.16b
None (today)
Limited
IEEE 802.11 Standards
- Wireless Fidelity (Wi-Fi)
802.11n
Release Date
January 2007 (Linksys)
Op. Frequency
2.4 GHz or 5 GHz
Data Rate (Typ)
200 Mbit/s
Data Rate (Max)
540 Mbit/s
Range (Indoor)
~50 meters (~165 ft)
IEEE 802.11 Network Components
 IEEE 802.11 has two fundamental architectural
components, as follows:


+ Station (STA). A STA is a wireless endpoint device.
Typical examples of STAs are laptop computers,
personal digital assistants (PDA), mobile phones, and
other consumer electronic devices with IEEE 802.11
capabilities.
+ Access Point (AP). An AP logically connects STAs
with a distribution system (DS), which is typically an
organization’s wired infrastructure. APs can also
logically connect wireless STAs with each other without
accessing a distribution system.
IEEE 802.11 Architectural Models
Overview of IEEE 802.11 Security
 The most common security objectives for WLANs are
as follows:




Confidentiality—ensure that communication cannot
be read by unauthorized parties
Integrity—detect any intentional or unintentional
changes to data that occur in transit
Availability—ensure that devices and individuals can
access a network and its resources whenever needed
Access Control—restrict the rights of devices or
individuals to access a network or resources within a
network.
Major Threats against LAN Security
Taxonomy for Pre-RSN and RSN
Security
802.11 Station Authentication
1. Client broadcasts a probe request frame on every channel
2. Access points within range respond with a probe response frame
3. The client decides which access point (AP) is the best for access and
sends an authentication request
4. The access point will send an authentication reply
5. Upon successful authentication, the client will send an association
request frame to the access point
6. The access point will reply with an association response
7. The client is now able to pass traffic to the access point
Probe Request Frame
Access Control and Authentication
 The original IEEE 802.11 specification defines
two means to validate the identities of
wireless devices attempting to gain access to
a WLAN:

open system authentication and

shared key authentication.
Open system authentication
 Open system authentication is effectively a null authentication
mechanism that does not provide true identity verification. In
practice, a STA is authenticated to an AP simply by providing the
following information:


Service Set Identifier (SSID) for the AP. The SSID is a name
assigned to a WLAN; it allows STAs to distinguish one WLAN
from another. SSIDs are broadcast in plaintext in wireless
communications, so an eavesdropper can easily learn the SSID
for a WLAN.
Media Access Control (MAC) address for the STA. Many
implementations of IEEE 802.11 allow administrators to specify
a list of authorized MAC addresses; the AP will permit devices
with those MAC addresses only to use the WLAN. This is
known as MAC address filtering. Unfortunately, almost all
WLAN adapters allow applications to set the MAC address, so it
is relatively trivial to spoof a MAC address, meaning attackers
can gain unauthorized access easily.
Open Authentication with Differing
WEP Keys
Shared key authentication
 As the name implies, shared key authentication is based on a secret
cryptographic key known as a Wired Equivalent Privacy (WEP) key;
this key is shared by legitimate STAs and APs.
Shared key authentication
 Shared key authentication is still weak because

AP is not authenticated to the STA, so there is no
assurance that the STA is communicating with a
legitimate AP

Challenge-response process can be compromised by
methods such as man-in-the-middle attacks and offline brute force or dictionary attacks.

All devices on a WLAN use the same WEP key or the
same small set of keys

Does not specify any support for key management.
Encryption
 The WEP protocol, part of the IEEE 802.11 standard,
uses the RC4 stream cipher algorithm to encrypt
wireless communications, which protects their
contents from disclosure to eavesdroppers.
 The standard for WEP specifies support for a 40-bit
WEP key only; however, many vendors offer nonstandard extensions to WEP that support key lengths
of up to 104 bits.
 WEP also uses a 24-bit value known as an
initialization vector (IV) as a seed value for initializing
the cryptographic key stream. For example, a 104-bit
WEP key with a 24-bit IV becomes a 128-bit RC4
key.
WEP Encryption and Its
Weaknesses
 With ECB (Electronic Code Book) mode encryption, the same plain-text
input always generates the same cipher-text output.
 There are two encryption techniques to overcome this issue:
• Initialization vectors
• Feedback modes
 An initialization vector (IV) is used to alter the key stream. The IV is a
numeric value that is concatenated to the base key before the key
stream is generated. Every time the IV changes, so does the key
stream.
 Feedback modes are generally used with block ciphers, and the most
common feedback mode is known as cipher block chaining (CBC)
mode.
WEP Privacy Using RC4 Algorithm
Encryption
 Most attacks against WEP encryption have been
based on IV-related vulnerabilities. For example, the
IV portion of the RC4 key is sent in cleartext, which
allows an eavesdropper that monitors and analyzes a
relatively small amount of network traffic to recover
the key by taking advantage of the IV value
knowledge, the relatively small 24-bit IV key space,
and a weakness in the way WEP implements the
RC4 algorithm.
Vulnerability of Shared Key
Authentication
Initialization Vector Replay Attacks
1.
2.
3.
4.
A known plain-text message is sent to an observable wireless LAN client (an e-mail
message)
The network attacker will sniff the wireless LAN looking for the predicted cipher text
The network attacker will find the known frame and derive the key stream
The network attacker can “grow” the key stream using the same IV/WEP key pair as the
observed frame
This attack is based on the knowledge that the IV and base WEP key can be reused or
replayed repeatedly to generate a key stream large enough to subvert the network.
Initialization Vector Replay Attacks
1.
2.
3.
4.
5.
The network attacker can build a frame one byte larger than the known key stream
size; an Internet Control Message Protocol (ICMP) echo frame is ideal because the
access point solicits a response
The network attacker then augments the key stream by one byte
The additional byte is guessed because only 256 possible values are possible
When the network attacker guesses the correct value, the expected response is
received: in this example, the ICMP echo reply message
The process is repeated until the desired key stream length is obtained
Bit-Flipping Attack
Bit-Flipping Attack
CBC Mode Block Cipher
VPN WLAN Design
WEP Cracking Tools
• Airsnort (airsnort.schmoo.com)
• WepAttack (wepattack.sourcefourge.net)
• WEPCrack
(sourceforge.net/projects/wepcrack)
• Weplab (sourceforge.net/projects/weplab)
• Aircrack (www.aircrack-ng.org)
Typical Security Incidents
 Unauthorized association and snooping
 Access Point Intrusion
 Intrusion attempts (WLAN and Wired Network)
 Loss of confidential data
 Data Capture and Replay Attacks
 Bandwidth Theft
 Unauthorized Rogue Access Points
 Wireless clients associate with wrong access point
(Fake Access Points)
Step 1 – Security Policy Review
 Wireless LAN treated as ‘external’ network
 Approval for wireless infrastructure and
clients
 Security Architecture and Design Review
 Access Point Configuration Standards
 Authentication and Encryption Baseline
 Logging, Monitoring, Intrusion Detection
 Wireless Vulnerability Assessment
Step 2 – Architecture Assessment
 Security Architecture and Design
 Network segmentation control (firewall)
 Secure configuration of Access Points
 VPN (IPsec or SSL)
 Authentication of wireless clients
 Encryption of wireless traffic
 Logging, and monitoring wireless security
logs
Step 3 – Risk Assessment
 Document Wireless Architecture,
Components,Security Configuration
 Threat Assessment
 Vulnerability Assessment
 Controls Assessment
 Assess Risk
 Control Recommendations
Vulnerability Assessment
 Wireless Assessment Toolkit

Linux-based toolkits


Knoppix (knoppix.net)
Nmap; Nessus (testing from wired LAN)
 Tools




Network Discovery
WEP/WPA Cracking Tools
Packet Capture Tools
Known exploit code
Network Discovery
 Laptop / PDA
 Wireless network card
 Network Discovery
Tools:



Kismet
NetStumbler
Ministumbler
 Antenna
 GPS Unit
Rogue Access Point
detection
 Tools / Solutions





Airmagnet (www.airmagnet.com)
Retina WiFi Scanner (www.eeye.com)
Kismet (www.kismetwireless.net)
Pocketwarrior (www.pocketwarrior.org)
WiFiFoFum (www.aspecto-software.com)
Step 4 – AP Configuration Review
 Access Point Configuration


telnet, http, snmp
default authentication
 SSID Configuration
 Authentication & Encryption Setup
 Logging Enabled
Step 5 – Authentication &
Encryption
 WPA




Subset of 802.11i
Confidentiality:TKIP
Authentication - Per-user or Pre-shared key
Integrity Mechanisms
 802.11i (WPA2)




Addresses the main problems of WEP and Shared-Key Authentication
Temporal Key Integrity Protocol (TKIP)
Message Integrity Control ~ Michael
AES Encryption replacement for RC4
 802.1x



Framework to control port access between devices, AP, and servers
Not specific to 802.11 networks
Uses dynamic keys instead of the WEP authentication static key
Wi-Fi Alliance Certification
Programs
 The Wi-Fi Alliance began conducting interoperability
testing in April 2000 and has since awarded its Wi-Fi
CERTIFIED label to over 2,500 WLAN products.
Product categories include access points and a wide
variety of clients.
 Three basic types of certifications: radio standards,
network security, and multimedia content support.
 The Wi-Fi Alliance also manages a licensing program
for Wi-Fi providers called Wi-Fi Zone. Organizations
participating in the program agree to use Wi-Fi
CERTIFIEDTM products only and adhere to certain
service standards.
Wi-Fi Alliance
 The Wi-Fi Alliance introduced WPA in early 2003 to address
serious vulnerabilities inherent in WEP, which was the only
available IEEE 802.11 security protection at that time. WPA is
essentially a subset of IEEE 802.11i that provides a solution to
WEP’s major problems. To accomplish this protection, WPA
leverages the following core security features from IEEE
802.11i:
 IEEE 802.1X and EAP authentication
 Key generation and distribution based on the IEEE 802.11i
4-Way Handshake
 TKIP mechanisms including



Encapsulation and decapsulation
Replay protection
Michael MIC integrity protection.
Brief Overview of IEEE 802.11i
Security
 IEEE 802.11i references the Extensible
Authentication Protocol (EAP) standard, which is a
means for providing mutual authentication between
STAs and the WLAN infrastructure, as well as
performing automatic cryptographic key distribution.
 IEEE 802.11i also uses some techniques derived
from the Internet Protocol Security (IPsec) standard,
such as generating cryptographic checksums through
hash message authentication codes (HMAC).
802.1X Layers
EAP – SIM
GSM SIM
Authentication
802.1X Ports
802.1X requires three entities:
The supplicant–—Resides on the wireless LAN client
 The authenticator–—Resides on the access point
 The authentication server—Resides on the RADIUS server
 IEEE 802.1X defines IEEE 802 encapsulation of EAP messages
 EAP over LAN (EAPOL) messages

802.1X and EAP Message Flow
EAP
 EAP supports a wide variety of authentication
methods (rfc3748), also called EAP methods.
These methods include authentication based
on passwords, certificates, smart cards, and
tokens.
 EAP methods can also include combinations
of authentication techniques, such as a
certificate followed by a password, or the
option of using either a smart card or a token.
EAP methods
 The current WPA/WPA2 certified EAP
methods are:





EAP-TLS (originally certified protocol)
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC
EAP-SIM
Pairwise Key Hierarchy
Summary of Data Confidentiality
and Integrity Protocols
The EAP Cisco Authentication
Algorithm




Mutual Authentication
User-Based Authentication
Dynamic WEP Keys
Data Privacy with TKIP


A message integrity check (MIC) function on all WEPencrypted data frames
 Initialization vector/base key reuse—The MIC adds
a sequence number field to the wireless frame. The
access point will drop frames received out of order.
 Frame tampering/bit flipping—The MIC feature
adds a MIC field to the wireless frame. The MIC field
provides a frame integrity check not vulnerable to the
same mathematical shortcomings as the ICV.
Per-packet keying on all WEP-encrypted data frames
Per-packet keying
Cisco LEAP - password-based algorithm.
EAP-TLS Authentication Process
EAP Transport Layer Security
TLS comprises three protocols:
 Handshake protocol—The handshake protocol
negotiates the parameters for the SSL session. The
SSL client and server negotiate the protocol version,
encryption algorithms, authenticate each another,
and derive encryption keys.
 Record protocol—The record protocol facilitates
encrypted exchanges between the SSL client and the
server. The negotiated encryption scheme and
encryption keys are used to provide a secure tunnel
for application data between the SSL endpoints.
 Alert protocol—The alert protocol is the mechanism
used to notify the SSL client or server of errors as
well as session termination.
Protected EAP
 Protected EAP (PEAP), is EAP authentication type that is




designed to allow hybrid authentication.
PEAP employs server-side PKI authentication. For client-side
authentication, PEAP can use any other EAP authentication
type.
Because PEAP establishes a secure tunnel via server-side
authentication, non-mutually authenticating EAP types can be
used for client-side authentication, such as EAP generic token
card (GTC) for one-time passwords (OTP), and EAP MD5 for
password based authentication.
PEAP is based on server-side EAP-TLS, and it addresses the
manageability and scalability shortcomings of EAP-TLS.
Organizations can avoid the issues associated with installing
digital certificates on every client machine as required by EAPTLS and select the method of client authentication that best
suits them.
Protected EAP
EAP SIM Architecture
EAP SIM authentication is based on the authentication and
encryption algorithms stored on the Global System for Mobile
Communications (GSM) SIM, which is a Smartcard designed
according to the specific requirements detailed in the GSM
standards.
GSM authentication is based on a challenge-response mechanism
and employs a shared secret key, Ki, which is stored on the SIM and
otherwise known only to the GSM operator’s Authentication Center
(AuC).
When a GSM SIM is given a 128-bit random number (RAND) as a
challenge, it calculates a 32-bit response (SRES) and a 64-bit
encryption key (Kc) using an operator-specific confidential algorithm.
In GSM systems, Kc is used to encrypt mobile phone conversations
over the air interface.
EAP SIM Authentication
UMTS system architecture (R99)
UMTS and GSM
Security objectives
 Problems with GSM Security






Weak authentication and encryption algorithms (COMP128
has a weakness allowing user impersonation; A5 can be
broken to revealthe cipher key)
Short key length (32 bits)
No data integrity (allows certain denial of service attacks)
No network authentication (false base station attack
possible)
Limited encryption scope (Encryption terminated at the
base station, in clear on microwave links)
Insecure key transmission (Cipher keys and authentication
parameters are transmitted in clear between and within
networks)
3G Security Features
 Mutual Authentication

The mobile user and the serving network authenticate each other
 Data Integrity

Signaling messages between the mobile station and RNC protected
by integrity code
 Network to Network Security

Secure communication between serving networks. IPsec suggested
 Wider Security Scope

Security is based within the RNC rather than the base station
 Secure IMSI (International Mobile Subscriber Identity) Usage

The user is assigned a temporary IMSI by the serving network
3G Security Features
 User –Mobile Station Authentication
The user and the mobile station share a secret key, PIN
Secure Services
 Protect against misuse of services provided by the home
network and the serving network
Secure Applications
 Provide security for applications resident on mobile station
Fraud Detection
 Mechanisms to combating fraud in roaming situations
Flexibility
 Security features can be extended and enhanced as
required by new threats and services





3G Security Features
 Visibility and Configurability
Users are notified whether security is on and what level of
security is available
 Multiple Cipher and Integrity Algorithms
 The user and the network negotiate and agree on chipher
and integrity algorithms. At least one encryption algorithm
exported on world-wide basis (KASUMI)
 Lawful Interception
 Mechanisms to provide authorized agencies with certain
information about subscribers
 GSM Compatibility
 GSM subscribers roaming in 3G network are supported by
GSM security context (vulnerable to false base station)

Authentication and Key Agreement
Encryption
 Signaling and user data protected from eavesdropping. Secret key,
block cipher algorithm (KASUMI) uses 128 bit cipher key.
 At the mobile station and RNC (radio network controller)
Integrity Check
 Integrity and authentication of origin of signalling data provided. The
integrity algorithm (KASUMI) uses 128 bit key and generates 64 bit
message authentication code.
 At the mobile station and RNC (radio network controller)
WiMAX Overview
 Complement the existing last mile
wired networks (i.e. xDSL, cable
modem)
 Fast deployment, cost saving
 High speed data, voice and video
services
 Fixed BWA, Mobile BWA
WiMAX Applications
3
2
FRACTIONAL E1 for
SMALL BUSINESS BACKHAUL for
HOTSPOTS
T1+ LEVEL SERVICE
ENTERPRISE
1
Mobile
Backhaul
RESIDENTIAL & SoHo
DSL LEVEL SERVICE
802.16d
802.16d
802.16e
5
INTERNET
BACKBONE
BWA Operator Network
Backbone
Mobility
4
WMAN Nomadic Coverage -->
handoff from HOT SPOTS
H
H
H
H
H
H
H
H
H
= wide area coverage
outside of Hot Spots
Benefits of WiMAX
●
Speed

●
Wireless


●
Faster than broadband service
Not having to lay cables reduces cost
Easier to extend to suburban and rural areas
Broad coverage

Much wider coverage than WiFi hotspots
Security Issues
 Provides subscribers with privacy across the fixed broadband wireless
network
 Protect against unauthorized access to the data transport services

Encrypt the associated service flows across the network.
 Implemented by encrypting connections between SS and BS
 Security mechanisms






Authentication
Access control
Message encryption
Message modification detection (Integrity)
Message replay protection
Key management

Key generation, key transport, key protection, Key derivation, Key
usage
Security Association
 Data SA
 Authorization SA

16-bit SA identifier

Cipher to protect data:
DES-CBC

2 TEK

TEK key identifier (2-bit)

TEK lifetime

64-bit IV








X.509 certificate  SS
160-bit authorization key (AK)
4-bit AK identification tag
Lifetime of AK
KEK for distribution of TEK
= Truncate-128(SHA1(((AK| 044)
xor 5364)
Downlink HMAC key
= SHA1((AK|044) xor 3A64)
Uplink HMAC key
= SHA1((AK|044) xor 5C64)
A list of authorized data SAs
IEEE 802.16 Security Process
Authentication
SS →BS: Cert(Manufacturer(SS))
SS →BS: Cert(SS) | Capabilities | SAID
BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList
Key Derivation
KEK = Truncate-128(SHA1(((AK|
044) xor 5364)
Downlink HMAC key = SHA1((AK|044)
xor 3A64)
Uplink HMAC key = SHA1((AK|044)
xor 5C64)
Data Key Exchange
Data Key Exchange
 Traffic Encryption Key (TEK)
 TEK is generated by BS randomly
 TEK is encrypted with
 Triple-DES (use 128 bits KEK)
 RSA (use SS’s public key)
 AES (use 128 bits KEK)
 Key Exchange message is authenticated by HMAC-
SHA1 – (provides Message Integrity and AK
confirmation)
Data Encryption
Data Encryption
 Encrypt only data message not management message
 DES in CBC Mode

56 bit DES key (TEK)

No Message Integrity Detection

No Replay Protection
Key Management
Message 1:
BS →SS: SeqNo | SAID | HMAC(1)
Message 2:
SS →BS: SeqNo | SAID | HMAC(2)
Message 3:
BS →SS: SeqNo | SAID | OldTEK |NewTEK | HMAC(3)
M1: to rekey a data SA, or create a new SA
TEK: encrypted with Triple-DES-ECB
IEEE 802.16 Security Flaws
 Lack of Explicit Definitions


Authorization SA not explicitly defined

SA instances not distinguished: open to replay attacks

Solution: Need to add nonces from BS and SS to the authorization
SA
Data SA treats 2-bit key as circular buffer

Attacker can interject reused TEKs
 SAID: 2 bits  at least 12 bits (AK lasts 70 days while TEK lasts for 30
minutes)

TEKs need expiration due to DES-CBC mode
 Determine the period: 802.16 can safely produce 2^32 64-bit blocks only.
IEEE 802.16 Security Flaws
 Need for mutual authentication

Authentication is one way

BS authenticates SS

No way for SS to authenticate BS

Rouge BS  possible because all information's are public

Possible enhancement : BS certificate

SSBS : Cert (Manufacturer)

SSBS : SS-Rand | Cert(SS) | Capabilities | SAID

BSSS : BS-Rand | SS-Rand | E(Pub(SS),AK)| Lifetime | Seq No | SAID | Cert
(BS) | Sig (BS)
IEEE 802.16 Security Flaws
 Authentication Key (AK) generation

BS generates AK

No contribution from SS

SS must trust BS for the generation of AK
 AK = HMAC-SHA1(contribution from SS+ contribution from BS)

AK = HMAC-SHA1(pre-AK, SS-Random | BS-Random | SSMAC-Addr | BS-MAC-Addr | 160)
IEEE 802.16 Security Flaws
 Key management

TEK sequence space (2-bit sequence #)




Replay attack can force reuse of TEK/IV
Increase it to 12-bit
No specification on the generation of TEK and therefore TEKs are random
No TEK freshness assurance
Message 1:
BS → SS: SS-Random | BS-Random | SeqNo12 | SAID | HMAC(1)]
Message 2:
SS → BS: SS-Random | BS-Random | SeqNo12 | SAID | HMAC(2)
Message 3:
BS →SS: SS-Random | BS-Random | SeqNo12 | SAID | OldTEK | NewTEK | HMAC(3)
Not transmit TEK, generate TEK:
TEK = HMAC-SHA1(pre-TEK, SS-Random | BS-Random | SS-MAC-Addr | BS-MAC-Addr |
SeqNo12 | 160)
SS-Random | BS-Random is used as an instance identifier
IEEE 802.16 Security Flaws
 Alternative Cryptographic Suite


IEEE 802.16 used DES-CBC

DES uses 64 bit block size

According to studies a CBC mode using block cipher with n-bit
block loses its security after operating on 2^n/2 blocks with the
same encryption key.

So IEEE 802.16 can safely produce 2^32 64-bit blocks.

Also IV used in DES-CBC are predictable.
Use AES-CCM as encryption primitive



128 bit key (TEK)
HMAC-SHA1
Replay Protection using Packet Number
IEEE 802.16 Security Flaws
 Data protection errors

56-bit DES… does not offer strong data confidentiality

Forgeries or replies (WEP-like vulnerability)


Writes are not prevented, read-protects only

even w/o encryption key
Uses a PREDICTABLE initialization vector (while DES-CBC
requires a random IV)


IV is the xor of the IV in SA and the PHY synchronization field from
the most recent GMH
Generates each per-frame IV randomly and inserts into the
payload.

Though increases overhead, no other choice.
IEEE 802.16 Security Flaws
 No data Authentication
 Encryption only prevents reading but any one without
key can write (change the message).

Strong MAC needs to be included in the message
References
 Wireless Security Reference Site
 www.wardrive.net
 Wireless Security Policies
 www.sans.org/resources/policies
 NIST Wireless Network Security (includes wireless
security checklist)

csrc.nist.gov/publications/drafts/draft-sp800-97.pdf
 Wireless Security Checklists
 www.cisecurity.org
 www.sans.org/score/