Transcript Document

Security and Cooperation in Wireless Networks
Chapter 1
The security of existing wireless
networks
a. Security of cellular networks
b. WiFi Security: WEP, WPA, and WPA2
Levente Buttyan and Jean-Pierre Hubaux
[--Note: L. Lilien made changes to improve clarity and formatting of slides, including:
(1) adding more levels for prioritization of text,
(2) changing font to larger size for most slides,
(3) splitting many slides into 2 or more slides (necessary due to the above changes)
(4) adding emphasis by changing font color to blue
(5) removing words that are superfluous in slides
(6) improving consistency of slides and the textbook
Modifications are © 2007-2009 by Leszek T. Lilien. Requests to use L. Lilien’s slides for nonprofit purposes will be gladly granted upon a written request.--]
Why is security more of a concern in wireless?
 No inherent physical protection
– Physical connections between devices are replaced by
logical associations
– Don’t need physical access to the network
infrastructure (cables, hubs, routers, etc.) for xmitting
messages
 Wireless broadcast transmissions /communications
– Usually, wireless = radio => a broadcast nature
– Can be overheard by anyone in range
– Anyone can transmit
• Received by other devices in range
• Interferes with other nearby transmissions
– Jamming may prevent correct reception
2
 Security vulnerabilities for wireless networks
 eavesdropping is easy
 messages can be altered or bogus messsages
injected by an attacker (it is an example of an
active attack)
 easier to impersonate (= to cheat on identities)
 replaying previously recorded messages is easy
 illegitimate access to the network and its services
is easy
 denial of service (DoS) is easily achieved by
jamming
3
Security requirements for wireless communication
 Recall: classic CIA security requirements
– CIA = confidentiality + integrity + availability
– Req’s below include CIA (in a different order)
------------------------------------------ authentication
– origin of received messages must be verified
 access control
– limit access to network services to legitimate
entities only
– need permanent access control
• checking the legitimacy of an entity only when it joins the
network (and its logical associations are established) is not
sufficient
– bec. logical associations can be hijacked
 confidentiality
– messages must be encrypted
4
Security requirements for wireless communication (2)
 integrity
– malicious modification of messages is possible
• Even if modifying on-the-fly (during radio transmission) is
not so easy
– integrity of received messages must be verified
 privacy
– incl. location privacy
• do not reveal the location of the user, nor the party with
which she communicates
– law enforcement agencies must have access to these
two pieces of info
 non-repudiation
– e.g., prevent possibility that a user, after getting a
message/service, pretends that she did not
5
Security requirements for wireless communication (3)
 availability
– in particular, guarantee a fair share of the radio
resource
• e.g., for all mobile users located in the same radio domain
– provide higher priority for more important
communications
• e.g., an emergency call from a cellular phone
 other security req’s:
– replay detection
• freshness of received messages must be checked
– protection against jamming
6
Securing wireless networks
a. Security of cellular networks
Security in European cellular nets (similar in US cell nets)
- in GSM (Global System for Mobile Communications)
- A European 2G
- in UMTS
(2-nd generation)
cellular network
(Universal Mobile Telecommunications System)
- A European 3G
(3-rd generation)
cellular network
7
REFRESHER SLIDES (quick presentation till Slide 23)
Introduction To Cellular Systems
(see L. Lilien’s Section 1 and Section 9 slides for
CS6910: Pervasive Computing – S’07)
Washington, DC
Cincinnati, OH
[LTL:]
User moves but phone # unchanged
Maintaining the telephone number across geographical areas in a
wireless and mobile system
8
Generations of Wireless Systems & Services
 1G - First Generation
– Primarily for voice communication
– Using FDM (frequency division multiplexing)
 2G - Second Generation
–
–
–
–
Emphasis still on voice communication but allows for…
… Data communication
Using TDM (time division multiplexing)
Indoor/outdoor and vehicular environment
 3G - Third Generation
– Integrated voice, data, and multimedia communication
– Need for:
• High volume of traffic / Real time data communication
• Flexibility, incl.
– Frequent Internet access
– Multimedia data transfer
• Compatibility with 2G
– Using compression
• Without compromising quality
© 2007 by Leszek T. Lilien
9
Future: 4G
 4G
– Expected to implement all standards from 2G &
3G
– Infrastructure only packet-based, all-IP
– Some of the standards paving the way for 4G:
• WiMax
• WiBro (Korean)
• 3GPP Long Term Evolution
– Improves the UMTS mobile phone standard (Europe)
• Work-in-progress technologies
– E.g., HSOPA, a part of
3GPP Long Term Evolution
© 2007 by Leszek T. Lilien
10
Coverage Aspect of
Next Generation Mobile Communication Systems
Satellite
In-Building
Urban
Suburban
Global
Picocell
Microcell
Macrocell Global
11
Fundamentals of Cellular Systems
Service area
- Ideal cell area
(2-10 km radius)
(circle)
Cell
BS
MS
Alterative
shape of a cell
(square)
MS
Hexagonal cell area
used in most models
Illustration of a cell with a mobile station (MS) and a base station (BS)
[LTL:]



Cell shapes (above)
Actually, cell may have a zigzag shape
Hexagon is a good approximation in practice

Also, gives non-overlapping cells (used by clever bees for beehives)

E.g., circles would either overlap, or would have gaps in between
12
MS, BS, BSC, MSC, and PSTN
wired links
PSTN
Home phone
…
MSC
…
BSC
BSC
BSC
…
…
…
BS MS
BS MS
MSC
BS MS
BS MS
BS MS
…
BSC
…
BS MS
BS MS
BS MS
[LTL:]



Several BSs connected via wireline links to one BSC (BS controller)
Several BSCs connected via wireline links to one MSC (Mobile Switching
Center)
Several MSCs interconnected via wireline links to PSTN (Public
Switched Telephone Network) and the ATM backbone
13
BS Structure
 BS consists of
– Base Tranceiver System (BTS)
• Includes tower & antenna
– BSC
• Contains all associated electronics
© 2007 by Leszek T. Lilien
14
MSC Database Supporting MS Mobility
& Incoming Call Scenario
 MSC database for supporting MS mobility
1) Home location register (HLR) for MS
• Located at the “home MSC” for MS
– Where MS is registered, billed, etc.
• Indicates current location of MS
– Could be within home MSC’s area
OR
– Could be in the area of any MSC in the world
2) Visitor location register (VLR) on each MSC
• Contains info on all MSs visiting area of this MSC
 Incoming call scenario
– Based on the called #, incoming call for an MS is
directed to the HLR of the “home MSC” for this MS
– HLR redirects the call to MSC/BSC/BS where the MS
is now
– VLR of the “current MSC” has info on MS (one of visiting
MSs)
© 2007 by Leszek T. Lilien
15
Control and Traffic Channels
Note: Forward/reverse in the
U.S., downlink/uplink elsewhere
Mobile Station
Base Station
[LTL:]

4 simplex channels needed for control & traffic
 2 control channels



Exchange control msgs
Forward channel & reverse channel
2 traffic channels


For data
Forward channel & reverse channel
16
Steps for a Call Setup from MS to BS
[LTL:]
Steps for a call setup from MS to BS  When MS initiates a call
BS
MS
1. Need to establish path
2. Frequency/time slot/code assigned
(FDMA/TDMA/CDMA)
Time

3. Control information acknowledgement
4. Start communic. on assigned traffic channel
17
Steps for a Call Setup from BS to MS
[LTL:]
Steps for a call setup from BS to MS:
 When MS responds to a call (another MS calls this MS)
BS
MS
1. Call for MS # pending
2. Ready to establish a path
3. Use frequency / time slot / code
(FDMA/TDMA/CDMA)
Time

4. Ready for communication
5. Start communic on assigned traffic channel
18
9.2. Cellular System Infrastructure – cont. 1
The infrastructure in more detail
1) Discussed in Sec. 1 (“Pervasive Computing”):


BTS = base transceiver system (tower + antenna)
(tranceiver = transmitter + receiver)
BSC = BS controller (all electronics controlling BTSs, even k*100 BTSs)
 BS = base station = BTS + BSC
NOTE: We sometimes omit mentioning BTS, as if BTS + BSC were colocated & were an integrated BS
Sometimes (as in the previous Figure) BTS is denoted as “BS”



HLR = home location
register
VLR = visitor home
location register
2) Not discussed yet:


AUC = authentication
center
EIR = equipment
identity register
(Modified by LTL)
9.2. Cellular System Infrastructure – cont. 3

HLR and VLR used in a way analogous to mail forwarding by
the U.S. Postal Service - fig. above
(pp. 190/- 192)
(Modified by LTL)
20
9.2. Cellular System Infrastructure – cont. 4


Unlike in the USPS example, in cellular need not only forward link (home
MSC -> visiting MSC)
Need also a backward link (visiting MSC -> home MSC ) – see fig. below for
the bi-directional link
Backward link needed for, e.g.:
 Billing - done only by home MSC
(mobile switching center)
 Look at the list of access specifications – kept by home MSC
 Is MS active or not (e.g., delayed payment)
 Local calls only or long distance calls allowed or both
 Listing of calls made
 Listing of charges
(Modified by LTL)
21
The end of the “Introduction to Cellular Systems”
22
GSM Security: The SIM card
(Subscriber Identity Module)
 Security req’s for SIMs (SIMs implemented as smart cards)
– Tamper-resistance
– Protected by a PIN code (checked locally by the SIM)
– Removable from the terminal
– Contains all end-user-specific data required in the
Mobile Station:
• IMSI: International Mobile Subscriber Identity (permanent
•
•
•
•
•
•
•
user’s identity)
PIN
TMSI (Temporary Mobile Subscriber Identity)
Ki : User’s secret key
Kc : Ciphering key
List of the most recent call attempts
List of preferred operators
Supplementary service data (abbreviated dialing, last short
messages received,...)
23
Authentication principle of GSM
* Uses challenge-response principle
+ Subscriber (her SIM card) receives a random # (RAND) as a challenge
+ 2 B authenticated, subscriber (SIM) must compute a correct response
- Computed from the challenge (RAND) and long-term secret key (K)
- K known only to Subsciber (her SIM) and the operator
- RAND ensures freshness of response (w/o RAND, attacker could use old response)
For more interesting case,
consider auth’g subscriber in
visited network (not in home
network) – see Fig. 1.1
PRNG – (programmable) RAND #
generator
A3, A8 – algorithms
from GSM specs
SRES – correct
response to the
challenge
CK – encr. key for
mobile-to-visited net
Communication
SRES’ – response to
chall. fr. mobile
24
Authentication principle of GSM (2)
* Notes: VN = visited network, HN = home network
+ VN authenticates subscriber w/o knowing K (long term key)
- Knows CK (encr. key for mobile-to-visited net communications)
- VN needs not consult HN
+ HN needs not be contacted by VN each time subscriber must be
authenticated
- Bec. HN can send a few triplets (RAND, SRES, CK) each time it is
contacted by VN
+ Subscriber identity hidden from eavesdroppers by using TMSI
- IMSI used for 1st authentication
- TMSI assigned to Subscriber by VN after 1st successful
authentication
- Encrypted with CK
- Mobile uses TMSI to communicate w/ VN
+ When Subscriber moves to VN2 (another VN),:
- VN2 contacts VN1
- VN1 sends TMSI to VN2
25
SKIP-Authentication principle of GSM (original sl.)
Mobile Station
Visited network
Home network
Ki
IMSI/TMSI
R
IMSI (or TMSI)
IMSI
Triplets (Kc, R, S)
Authenticate (R)
Ki
A8
A3
Kc
S
Triplets
R
A8
A3
Kc
S’
Auth-ack(S’)
S=S’?
26
SKIP-Cryptographic algorithms of GSM
Random number
User’s secret key
R
Ki
A3
A8
S
Kc
R
Authentication
A5
Triplet
Ciphering algorithm
Kc: ciphering key
S : signed result
A3: subscriber authentication (operator-dependent algorithm)
A5: ciphering/deciphering (standardized algorithm)
A8: cipher generation (operator-dependent algorithm)
27
Ciphering in GSM
FRAME NUMBER
Kc
PLAINTEXT
SEQUENCE
FRAME NUMBER
Kc
A5
A5
CIPHERING
SEQUENCE
CIPHERING
SEQUENCE

Sender
(MS or Network)
CIPHERTEXT
SEQUENCE

PLAINTEXT
SEQUENCE
Receiver
(Network or MS)
Kc = ciphering key
A5 = ciphering/deciphering (standardized algorithm)
28
Conclusion on GSM security
 Security services provided by GSM security
architecture:
– Focus on the protection of the air interface
• No protection on the wired part of the network
– Neither for privacy nor for confidentiality
– Allow the visited network access to almost all data
• Except the secret key of the end user
– Generally robust…
– … but a few successful attacks have been reported:
• faking base stations
• cloning SIM card
29
UMTS Security Architecture (1a)
 Motivation and goals
– New kind of service providers
• content providers, HLR only service providers,…
– HLR = Home Location Register
–
–
–
–
–
Increased control for users over their service profiles
Enhanced resistance to active attacks
Increased importance of non-voice services
Reuse GSM (2G) security principles
…
30
UMTS Security Architecture (1b)
 Reusing GSM security principles (for GSM):
– Removable hardware security module
• In GSM (2G): SIM card
• In UMTS (3G): USIM (User Services Identity Module)
– Radio interface encryption
– Limited trust in a visited network
• K (long-term key) never revealed to it
– Protection of the end user’s identity
• Especially on the radio interface
• Using TMSI instead of IMSI
31
UMTS Security Architecture (2a)
 Weaknesses of GSM security that require corrections:
– Only unilateral authentication
• Authenticates only MS
(none in reverse)
(mobile station)
to BS
(base station) in
visited net
=> Allows for fake BSs
• Then run MITM (man-in-the –middle) attacks from it
– Using “IMSI catchers”
(devices for protocol testing)
• Facilitated by unability of subscriber to verify freshness of
the received challenge
– Lack of integrity protection for communication/
signalling over radio
• Facilitates using fake BSs
• Integrity not critical for voice communications (just some voice
distortion) but ...
... Integrity critical for data communications (each bit matters!)
32
UMTS Security Architecture (2b)

Weaknesses of GSM security that require corrections – cont.
– Short length of encryption key
– Weaknesses in implementations of the A3 and A8
algorithms
• Allow compromising K (long-term key)
– This allows cloning SIM
– ...
33
UMTS Security Architecture (3)
 Principles for new security architecture in UMTS
– Fix the weaknesses of GSM
– Without changing general GSM security principles
=> Extending them
• ‘Reverse’ authentication (BS to MS)
• Integrity protection
 New security features in 3G
– Address the weaknesses
– Without changing general GSM security principles
– Instead, extend GSM security principles
• ‘Reverse’ authentication (BS to MS)
• Integrity protection
34
Authentication in UMTS
 Details
– GSM triplet (RAND, SRES, CK) replaced by a quintuple – the
UMTS authentication vector :
(RAND, XRES, CK, IK, AUTN)
where:
• RAND – as before
• XRES – expected response to RAND
• CK – as before
• IK – integrity protection key
• AUTN – token that:
(a) authenticates HN (home net) to MS
(b) Proves freshness of RAND
35
Authentication in UMTS (2)
• Construction of authentication vector in UMTS standard
• SQN = sequence # maintained synchronously by MS and HN
• AK = anonymity key: to hide SQN value from eavesdroppers
• AMF = auth. & key mngmt field: to pass parameters from HN to MS
• MAC = message authentication code (nothing to do with MAC sublayer)
• f1 – f5 = one-way (hashing) functions
Notes:
-  - the XOR operation
- SQN encoded with AK to
protect privacy of MS
(otherwise eavesdropper
could associate different
executions of authorization
protocol with consecutive
sequence #s to the same
subscriber)
36
MS
Authentication in UMTS-3GPP
Visited Network
Home Network
SQN
Generation of
cryptographic material
K (user’s
secret key)
K
User authentication request
RAND(i) || AUTN(i)
IMSI/TMSI
1) Verify AUTN(i):
(cf. next slide)
- Generate AK
- Decode SQN
- Verify MAC
- Verify SQN(i)
2) Compute RES(i) (next)
RAND(i)
<RAND(i),
XRES(i),
CK(i), IK(i),
AUTN(i)>
i-th
Authentication vector
Recall:
• AK = anonymity key: to hide SQN
value from eavesdroppers
• SQN = sequence # maintained
synchronously by MS and HN
• MAC = message authentication code
User authentication response RES(i)
K
3) Compute CK(i) (next)
4) Compute IK(i) (next)
Compare RES(i)
and XRES(i)
Select CK(i)
and IK(i)
From now on CK(i) & IK(i) used to protect
37
integrity & confidentiality of msgs
User Authentication Function in the USIM
AUTN(i)
RAND(i)
SQN  AK
AMF
MAC
f5
AK(i)

SQN(i)
K
f1
XMAC (i)
(Expected MAC)
f2
f3
f4
RES(i)
(Result)
CK(i)
(Cipher
Key)
IK(i)
(Integrity
Key)
• Verify MAC = XMAC (if yes, SQN originated in MS’s home network)
• Verify that SQN(i) > most recent SQN stored by MS
USIM: User Services Identity Module
38
Conclusion on UMTS security
 Some improvement w.r.t. 2G
– Cryptographic algorithms are published
– Integrity of the signalling messages is protected
 Quite conservative solution
 Privacy/anonymity of the user not completely protected
 Complicates 2G-3G interoperability
– Might open security breaches
39
Securing wireless networks
b. WiFi Security: WEP, WPA, & WPA2
- intro to WiFi
- WEP
- intro to WEP
- WEP flaws
- WEP – Lessons learnt
- 802.11i
- Summary of WiFi security
b.1. Introduction to WiFi (1)
STA = mobile STAtion
AP = Access Point
“connected”
scanning on
each channel
STA
association response
association request
AP
beacon
-
MAC header
timestamp
beacon interval
capability info
SSID (network name)
supported data rates
radio parameters
power slave flags
41
Introduction to WiFi (2)
Internet
AP
42
b.2. WEP
b.2.1. Intro to WEP
 WEP = Wired Equivalent Privacy
 WEP is a part of the IEEE 802.11 specification
 goal
– make WiFi net at least as secure as a wired LAN
• that has no particular protection mechanisms
– WEP was never intended to achieve strong security
 services
– access control to the network
– message confidentiality
– message integrity
43
WEP – Access control
 before association, STA needs to authenticate itself to
AP
 authentication is based on a simple challenge-response
protocol:
STA  AP: authenticate request
AP  STA: authenticate challenge (r)
r is 128 bits long
STA  AP: authenticate response (eK(r))
AP  STA: authenticate success/failure
 if authentication fails, no association is possible
 if authentication succeeds:
– STA sends an association request
– AP respondS with an association response
44
WEP – Message confidentiality and integrity
 WEP encryption - based on RC4 (a stream cipher developed in 1987
by Ron Rivest for RSA Data Security, Inc.)
– Operation:
• Sending message:
– RC4 generator is initialized with:
» a shared secret (shared between STA & AP)
» an initialization vector (IV) – 24 bits
– RC4 produces a key stream (a pseudo-random byte sequence)
– Key stream is XORed with the message
• Msg reception is analogous
– Essential: different key stream for each message
– shared secret - the same for each message
– IV - changes for every message
 WEP integrity protection - based on an encrypted CRC value
– Operation:
• Integrity check value (ICV) is computed and appended to the
message
45
• the message and the ICV are encrypted together
WEP – Message confidentiality and integrity (2)
message || ICV
IV
secret key
RC4
K
ICV = CRC value
for “message”
K = key stream
encode
IV
message || ICV
Shaded means
secret
decode
IV
secret key
RC4
K
message || ICV
Fig. 1.3. Encryption and decryption in WEP
46
WEP – Kinds of Keys
 WEP standard - two kinds of keys are allowed
– Default key
• Also called: shared key, group key, multicast key, broadcast
key, key
– Key-mapping keys
• Also called: individual key, per-station key, unique key
id:X | key:abc
Default key
id:Y | key:abc
id:Z | key:abc
id:X | key:def
Key-mapping key
id:Y | key:ghi
key:abc
id:Z | key:jkl
id:X | key:def
id:Y | key:ghi
id:Z | key:jkl
 In practice, often only default keys are supported
– Default key - manually installed in every STA & AP
– Each STA uses the same shared secret key (see the “Default key” fig.)
47
=> in principle, STAs can decrypt each other’s messages
WEP – Management of default keys
 The default key is a group key
– Group keys need to be changed when a member leaves
the group
• E.g., when someone leaves the company and shouldn’t have
access to its network anymore
 Practically impossible to change the default key in every
device simultaneously
 => WEP supports multiple default keys for smooth change
of keys
– One of the keys is the active key
• Used currently to encrypt messages
– Any default key can be used to decrypt messages
• The message header contains a key ID
– Allows the receiver to find out a key to decrypt the message
(allows the receiver to know default keys – knowing one is enough)
48
WEP – The key change process
time
STA1
AP
STA2

abc*
---
a, b, c – default keys
* indicates the active key
abc*
---
Note:
* New STA can read msg
encoded with c (since it

abc*
---
abc*
def
abc
def*
includes it as a deafult key)
* AP can read msg encoded
with f (since it includes it as a
default key)

--def*
abc
def*
--def*
--def*

49
b.2.2. WEP flaws
WEP Flaws in Authentication & Access Control
 Flaw 1: Authentication is not mutual (one-way only)
– AP is not authenticated by STA (mobile STAtion)
• STA is at risk to associate with a rogue AP
 Flaw 2: The same shared secret key used for
authentication & encryption
• I authenticate X if X uses one of “my” group keys for encrypting her messages
• I don’t authenticate Y if his msg can’t be decrypted using one of my group keys
– Bad! Weaknesses in any of the two protocols can be
used to break the key for the other protocol
 Flaw 3: STA authenticated only at connection time
=> Access control is not continuous
– Once STA has authenticated with (& associated to) AP, an
attacker can send messages using the MAC (medium access control)
address of STA
• Correctly encrypted messages cannot be produced by the attacker
(does not know a group key)…
• … But attacker can replay STA msgs (e.g., STA1 msg replayed as STA 5 msg)
=> STA can be impersonated
(next slide)
50
WEP flaws in Authentication and Access Control (2a)
 Flaw 4: Using RC4 for encrypting random challenge
– Recall: Authentication based on a challenge-response
protocol:
…
AP  STA: C
STA receives C, calculates response:
K = a 128-bit
key stream
(RC4 output)
C
IV
secret key
RC4
C = challenge
K
STA encodes
IV
C
K
STA  AP: IV || ( C  K )
…
51
WEP flaws in Authentication and Access Control (2b)
– An attacker can:
• Capture challenge C - when sent from AP to STA
• Capture challenge encrypted in response R = (C  K) - when
sent from STA to AP
• Compute key stream: K = C  (C  K)
– Later, attacker can use key stream K to impersonate a
legitimate STA:
…
AP  attacker: C’
C’ – any challenge!
attacker  AP: IV || ( C’  K ) - correct attacker’s
response to any
…
challenge
Note: IV does not help to prevent the attack
- Since selected by the sender – i.e., the attacker
52
WEP Flaws in Replay Protection & Integrity
 Replay protection: none at all
– IV not mandated to be incremented after each msg
 Integrity: Attackers can manipulate msgs despite the ICV
mechanism & encryption
– ICV appended to clear message M (see Fig. 1.3) is the CRC
value for M
(CRC = cyclic redundancy code)
– CRC is a linear function w.r.t. XOR:
CRC(X  Y) = CRC(X)  CRC(Y)
- WEP-encrypted message M (cf. Fig. 1.3):
(M || CRC(M))  K
53
WEP Flaws in Replay Protection & Integrity (2)

Integrity: Attackers can manipulate msgs despite the ICV mechanism &
encryption – cont.
- Attacker observes encrypted message M:
(M || CRC(M))  K
 DM = changes that attacker wants to make in M
- Unforunately , the attacker can compute CRC(DM) for
any DM
- Hence, the attacker can also compute encrypted
message (M  DM) as follows:
Captured encrypted message M  encrypted DM =
Att. uses captured
( (M || CRC(M))  K)  (DM || CRC(DM) ) =
encrypted msg, then
adds the last
component (that
((M  DM) || (CRC(M)  CRC(DM)))  K =
includes no K! -- so
needs NOT know K!)
((M  DM) || CRC(M DM))  K - encrypted
By rules of math, the
effect is AS IF the
att. knew K (even so
message (M  DM)
does NOT know K)
54
WEP Flaws in Confidentiality
 Flaw 1: IV reuse
– IV space is too small - only 24 bits
=> there are about 17 million (16,777,216) possible IVs
- IV reused after about 17 million msgs
– WiFi device xmits approx. 500 full-length frames per sec. =>
=> IV space is used up in a few hours
=> Repeating IVs means repeating key streams (pseudorandom sequences) used for encryption
55
WEP Flaws in Confidentiality (2)
 Flaw 2: IV initialization & incrementing
– Many implementations initialize IV with 0 on startup &
incremented by 1 for each next msg
• If several devices are switched nearly simultaneously, all use
the same sequence of IVs
• If they all use the same secret key (which is the common case for a
default key for a group of devices under a single AP), then same key
streams (pseudo-random sequences) used for encryption
=> An attacker does not need to wait for msgs using
repeated key streams (due to using up all IV values)
• Gets messages encrypted with the same key stream immediately
56
WEP flaws in Confidentiality (3)
 Flaw 3 (total collapse of WEP): Weak RC4 keys
– For weak keys (some seed values), the beginning of the RC4
output is not really random
• One can infer the bits of the seed from the first
few bytes of the RC4 output
=> breaking the key is made easier
– Crypto experts suggest: always throw away the first
256 bytes of the RC4 output…
– … but WEP doesn’t do that
57
WEP flaws in Confidentiality (4)

Flaw 3 (total collapse of WEP): Weak RC4 keys – cont.
– Due to the use of ever-changing IV values, eventually a
weak key will be used
• Attacker will know that
– Because IVs are sent in the clear
(see Fig. 1.3)
- WEP encryption can be broken:
- by automatic key-cracking tools!
- after eavesdropping on only k * 100,000 of msgs!
– This is the most serious flaw
• Since breaking WEP means finding out the secret
key! (see Fig. 1.3)
– Can read and fake messages at will
58
b.2.3. WEP – Lessons learnt
1. Engineering security protocols is difficult
– One can combine otherwise strong building blocks in a
wrong way & obtain an insecure system at the end
• Example 1:
– Stream ciphers (e.g., RC4) alone are OK
– Challenge-response protocols for authentication
are OK
– But they shouldn’t be combined (as in WEP)
• Example 2:
– Encrypting a msg digest (such as CRC) to obtain an
ICV is a good principle
– But it doesn’t work if the message digest
function is linear w.r.t. the encryption function (as
is the case for CRC, which is linear w.r.t. the XOR function used
for encryption in WEP)
59
WEP – Lessons learnt
1. Engineering security protocols is difficult – cont.
– Use help of a security expert — don’t do it alone (unless
you are a security expert)
• Functional properties can be tested...
• ...but security can’t be tested
- it is a non-functional property
=> it is extremely difficult to tell if a system is
secure or not
– Using an expert in the design phase pays out
(fixing the system after deployment will be much more expensive)
• experts will not guarantee that your system is 100%
secure...
• ...but at least they know many pitfalls
• they know the details of crypto algorithms
2. Avoid the use of WEP (as much as possible)
60
b.3. Overview of 802.11i
 After the collapse of WEP => IEEE started to develop a
new security architecture
=> 802.11i & Robust Security Network (RSN)
 Main novelties in 802.11i w.r.t. WEP
– access control model is based on 802.1X
– flexible authentication framework
• based on EAP – Extensible Authentication Protocol
– authentication can be based on strong protocols
• e.g., TLS – Transport Layer Security
– authentication process results in a shared session key
• prevents session hijacking
– different functions (encryption, integrity) use different
keys derived from the session key using a one-way
(hashing) function
– improved integrity protection
– improved encryption
61
b.3. Overview of 802.11i (2)
 802.11i defines RSN (Robust Security Network)
– integrity protection & encryption based on AES
• not on RC4 anymore
– nice solution ...
– ... but needs new hardware => can’t be adopted quickly
 In addition to RSN, 802.11i also defines an optional
protocol called TKIP (Temporal Key Integrity Protocol)
– ugly solution ...
... but no new hardware required
• runs on old hardware after a software upgrade
– confidentiality: encryption based on RC4
• but WEP’s problems have been avoided
– integrity protection based on Michael (more on it later)
– authentication, access control, key management — same
as in RSN
62
b.3. Overview of 802.11i (3)
 Industrial names
(industry, eager to fix WEP’s flaws, didn’t wait till 802.11i
architecture was finalized by IEEE. It quickly produced its own specs,
hence had to use different names.)
– For TKIP: WPA (WiFi Protected Access)
– For RSN: WPA2
 Chronology
[Wikipedia]
– WEP security specification is a part of the IEEE 802.11
standard ratified in Sept. 1999
– RSN & TKIP are defined in IEEE 802.11i, draft
standard ratified in June 2004
63
b.3.1. Authentication and access control in
802.11i
 Authentication and access control in 802.11i
– Borrowed from the 802.1X standard
• 802.1x originally for wired LANs
 802.1X authentication & access control model – next slide
64
802.1X authentication model
supplicant sys
supplicant
authenticator system
services
port
authenticator
auth server sys
authentication
server
controls
LAN
 the supplicant requests access to the services
network)
(wants to connect to the
 the authenticator controls access to the services (controls the state
of a port)
 the authentication server authorizes access to the services
– the supplicant authenticates itself to the authentication server
(via the authenticator)
– if the authentication is successful:
• the authentication server instructs the authenticator to
switch the port on
• the authentication server informs the supplicant that
access is allowed
65
Mapping the 802.1X model to WiFi
 Mapping 802.1X to WiFi :
– supplicant = STA (mobile device)
– authenticator = AP (access point)
– authentication server = server application running on AP
or on a dedicated machine
– port = logical state implemented in software in the AP
 One more thing added to the basic 802.1X model in
802.11i:
– successful authentication results not only in switching
the port on
– also in defining a session key between STA (supplicant) and
the authentication server
• the session key is sent to the AP (authenticator) in a
secure way
– using a shared key between the AP and the
authentication server
– this key is usually set up manually
66
Protocols – RADIUS, EAPOL, and EAP
 RADIUS = Remote Access Dial-In User Service
[RFC 2865-2869, RFC 2548]
– to carry EAP messages (next) between auth server & AP
(next)
• MS-MPPE-Recv-Key attribute is used to transport the session
key from auth server to AP
– RADIUS is mandatory for WPA & optional for RSN
 EAPOL = EAP over LAN
[802.1X]
– to carry EAP messages (next) between STA & AP
– to encapsulate EAP messages into LAN protocols
• e.g., into Ethernet protocols
67
Summary of the protocol architecture
TLS (RFC 2246)
EAP-TLS (RFC 2716)
EAP (RFC 3748)
EAPOL (802.1X)
EAP over RADIUS (RFC 3579)
802.11
RADIUS (RFC 2865)
TCP/IP
802.3 or else
STA
AP
auth server
IEEE 802.3 - collection of IEEE standards defining the physical layer and the media
access control (MAC) sublayer of the data link layer of wired Ethernet. This is
generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]
68
Protocols – RADIUS, EAPOL, and EAP (2)
 EAP = Extensible Authentication Protocol
[RFC 3748]
– carrier protocol - to transport the messages of “real”
authentication protocols (e.g., TLS)
– very simple, with four types of messages:
• EAP request – carries messages from the supplicant
to the authentication server
• EAP response – carries messages from the
authentication server to the supplicant
• EAP success – signals successful authentication
• EAP failure – signals authentication failure
– authenticator (AP) doesn’t understand what is inside
the EAP messages
• it recognizes only EAP success and EAP failure
69
Summary of the protocol architecture
TLS (RFC 2246)
EAP-TLS (RFC 2716)
EAP (RFC 3748)
EAPOL (802.1X)
EAP over RADIUS (RFC 3579)
802.11
RADIUS (RFC 2865)
TCP/IP
802.3 or else
STA
AP
auth server
IEEE 802.3 - collection of IEEE standards defining the physical layer and the media
access control (MAC) sublayer of the data link layer of wired Ethernet. This is
generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]
70
Protocols – RADIUS, EAPOL, and EAP(3)
 EAP-TLS = TLS over EAP
[RFC 2716]
– for server & client authentication, generation of
master secret
– only the TLS Handshake Protocol is used
– TLS master secret becomes the session key
– mandatory for WPA & optional for RSN
71
Summary of the protocol architecture
TLS (RFC 2246)
EAP-TLS (RFC 2716)
EAP (RFC 3748)
EAPOL (802.1X)
EAP over RADIUS (RFC 3579)
802.11
RADIUS (RFC 2865)
TCP/IP
802.3 or else
STA
AP
auth server
IEEE 802.3 - collection of IEEE standards defining the physical layer and the media
access control (MAC) sublayer of the data link layer of wired Ethernet. This is
generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“]
72
SKIP- Summary of the 802.11i protocol
architecture
73
EAP in action
STA
encapsulated in EAPOL
EAPOL-Start
AP
auth server
encapsulated in
EAP over RADIUS
EAP Response (Identity)
EAP Response (Identity)
EAP Request 1
EAP Request 1
EAP Response 1
EAP Response 1
...
...
embedded auth. protocol
EAP Request (Identity)
EAP Request n
EAP Request n
EAP Response n
EAP Response n
EAP Success
EAP Success
74
b.3.2. Key management
 Pairwise master key (PMK) = the session key established
between STA & AP as a result of the authentication
procedure
– “Pairwise” since known only to STA & AP
• Known also to auth server (AS) - not counted since AS is a
trusted entity
– “Master” bec. not used directly – used to generate
encryption & integrity keys
 Four keys derived from PMK are called the pairwise
transient key (PTK)
(in singular!)
– Data-encryption key (DEK)
– Data-integrity key (DIK)
– Key-encryption key (KEK)
– Key-integrity key (KIK)
75
b.3.2. Key management (2)
 Special case: AES-CCMP – used in RSN (more on it later)
– Three keys only in its PTK (pairwise transient key)
• DEK = DIK
• KEK
• KIK
76
Four-way handshake protocol
 Objective:
– AP & STA exchange their random #s
• to be used in PTK generation
– Proves to AP/STA that the other party also knows
PMK (result of authentic’n)
77
Four-way handshake protocol (2)
 The protocol:
(its msgs are carried by EAPOL)
AP: generate Anonce
(nonce is a random #)
1) AP  STA: ANonce | KeyReplayCtr
(Ctr = counter)
STA: generate SNonce and compute PTK
2) STA  AP: SNonce | KeyReplayCtr | MICKIK
(above msg includes info needed by AP for computing PTK)
AP: compute PTK, generate GTK & verify
MIC (using KIK to verify MIC)
(a successful MIC verific proves to AP that STA has PMK)
3) AP  STA: ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK
STA: verify MIC and install keys
(a successful MIC verific proves to STA that AP has PMK;
also, this msg signals that AP is ready to install the keys
=> ready for encrypting subsequent packets)
4) STA  AP: KeyReplayCtr+1 | MICKIK
(ACK to AP that STA got the msg (3) from AP
AP: verify MIC and install keys
MICKIK = Message Integrity Code (computed by the mobile device using KIK)
KeyReplayCtr = a counter used to prevent replay attacks
78
Four-way handshake protocol (3)
 From now on, data packets sent between STA and AP are
protected by DEK & DIK
 They don’t protect msgs broadcast by AP to “its” STAs
– Bec. keys for broadcast msgs must be known to all
STAs to which AP wants to broadcast
=> need group transient key (GTK)
(next)
79
Group transient key (GTK)
 Group transient key (GTK)
– GTK includes:
• group-encryption key (GEK)
• group-integrity key (GIK)
– GTK sent to each STA separately
• encrypted with KEK of this single STA
80
Key hierarchies (summary)
random generation
in AP
802.1X authentication
PMK (pairwise master key)
GMK (group master key)
key derivation
in STA and AP
key derivation
in AP
unicast message transmitted
between STA and AP
GTK (group transient keys):
- group encryption key
- group integrity key
transport
to every STA
protection
protection
(128 bits each)
protection
PTK (pairwise transient keys):
- key encryption key
- key integrity key
- data encryption key
- data integrity key
broadcast messages transmitted
from AP to STAs
81
b.3.3. TKIP and AES-CCMP
 Recall:
1) 802.11i specs define security architectures:
* Old sec architecture (flawed) - protocol: WEP
WEP security specification is a part of the IEEE 802.11 standard (Sept.’99 )
[Wikipedia]
* New sec architecture - protocols:
Supersedes WEP, defined as IEEE 802.11i, draft standard ratified in June’04,
[Wikipedia]
+ RSN
- uses AES cipher (instead of RC4 cipher)
- needs new h/w
+ TKIP (optional protocol)
- uses RC4 cipher
- uses old h/w
2) Industry specs define security architectures:
+ WPA (WiFi Protected Access)
- based on TKIP
+ WPA2
- name used for RSN by many WiFi
manufacturers
82
TKIP and AES-CCMP
Summary:
AES used in RSN (=WPA2)
RC4 used in TKIP & WPA
83
TKIP
 TKIP runs on old hardware (that supports RC4), but ...
 ...WEP weaknesses are corrected by TKIP
– TKIP fix for integrity: Michael - new msg integrity
protection mechanism
• MIC (Message Integrity Code) value is added at SDU level
(service data unit level) before fragmentation into PDUs
- that is, MIC value added to data received by MAC
layer from higher layers before these data are
fragmented
• implemented in the device driver (in software)
84
TKIP (2)
– TKIP fix for confidentiality:
replay counter)
(recall: IV used as a
• to fix IV reuse problem: increase IV length to 48
bits (from 24 bits)
• to fix weak keys problem: use per-packet keys
(prevents attacker from observing a sufficient # of msgs encrypted
with the same, potentially weak, key)
 next sl.: new IV mechanism & generation of msg keys
85
TKIP – Generating RC4 keys
Recall:
- IV size in TKIP is
increa-sed from 24 to 48
bits.
48 bits
IV
upper lower
32 bits 16 bits
- This creates difficulty:
the old WEP hardware
still expects a 128-bit
RC4 seed value.
=> 48-bit IV & 104-bit
key must be compressed
into 128 bits.
128 bits
key mix
(phase 1)
dummy byte
The figure shows how
this is done, that is shows
generating RC4 seed
values keys
DEK (data encryption key) from PTK
MAC address
key mix
(phase 2)
IV d IV
per-packet key
3x8 = 24 bits
104 bit
RC4 seed value
(128 bits)
86
AES-CCMP
(used in RSN)
 AES = AES cipher algorithm
 CCMP = CTR mode + CBC-MAC
– encryption based on CTR mode (using AES – next slide)
– integrity protection based on CBC-MAC (using AES - below)
 SKIP- Calculation of CBC-MAC
– CBC-MAC is computed over the MAC header, CCMP
header, and the MPDU (fragmented data)
– mutable fields are set to zero
– input is padded with zeros if length is not multiple of
128 (bits)
– CBC-MAC initial block:
• flag (8)
• priority (8)
• source address (48)
• packet number (48)
• data length (16)
– final 128-bit block of CBC encryption is truncated to
87
(upper) 64 bits to get the CBC-MAC value
AES-CCMP
 SKIP- CTR mode encryption
– MPDU and CBC-MAC value is encrypted, MAC and
CCMP headers are not
– format of the counter is similar to the CBC-MAC
initial block
• “data length” replaced by “counter”
• counter initialized with 1
and incremented after each encrypted block
88
SKIP- b.3.3. Bluetooth
 P. 27 - 31
89
b.4. Summary of WiFi security
 Security always considered important for WiFi
 Early solution based on WEP
– seriously flawed
– not recommended to use
 802.11i - the new security standard for WiFi
– access control model based on 802.1X
– flexible authentication based on:
• EAP
• upper layer authentication protocols (e.g., TLS, GSM authentication)
– improved key management
– TKIP
• uses RC4 => runs on old hardware…
• … but corrects WEP’s flaws
• mandatory in WPA, optional in RSN (=WPA2)
– AES-CCMP
• uses AES in CCMP mode (CTR mode and CBC-MAC)
90
• needs new hardware that supports AES
Recommended books
 V. Niemi and K. Nyberg. UMTS Security. Wiley, 2003
 J. Edney, W. Arbaugh. Real 802.11 Security: WiFi
Protected Access and 802.11i. Addison-Wesley, 2004.
Caution: books describing standards age very quickly (especially
in this field) !
91
THE END
92
93
94
SKIP- Generation of the authentication vectors
(by the Home Environment)
Generate SQN
Generate RAND
AMF
K
f1
f2
f3
f4
f5
MAC (Message
Authentication
Code)
XRES
(Expected
Result)
CK
(Cipher
Key)
IK
(Integrity
Key)
AK
(Anonymity
Key)
〓 〓
〓
: RAND XRES CK IK AUTN
〓
Authentication vector: AV
〓 〓
Authentication token: AUTN : ( SQN  AK ) AMF MAC
AMF: Authentication and Key Management Field
95
SKIP- More about the authentication and
key generation function
 In addition to f1, f2, f3, f4 and f5, two more functions are
defined: f1* and f5*, used in case the authentication procedure
gets desynchronized (detected by the range of SQN).
 f1, f1*, f2, f3, f4, f5 and f5* are operator-specific
 However, 3GPP provides a detailed example of algorithm set,
called MILENAGE
 MILENAGE is based on the Rijndael block cipher
 In MILENAGE, the generation of all seven functions f1…f5* is
based on the Rijndael algorithm
96
SKIP- Authentication and
key generation functions f1…f5*
RAND
SQN||AMF
OP
OPc
EK
OPc
EK
OPc
OPc
OPc
rotate
by r1
c1
rotate
by r2
c2
EK
f1
rotate
by r3
c3
EK
OPc
OPc
f1*
OPc
f5 f2
OP: operator-specific parameter
r1,…, r5: fixed rotation constants
c1,…, c5: fixed addition constants
OPc
rotate
by r4
c4
EK
OPc
c5
EK
OPc
f3
rotate
by r5
EK
OPc
f4
f5*
EK : Rijndael block cipher with
128 bits text input and 128 bits key
97
SKIP- f9 integrity function
COUNT || FRESH ||
KASUMI
||DIRECTION||1|| 0…0
IK
KASUMI
• KASUMI: block cipher (64 bits input,
64 bits output; key: 128 bits)
• PS: Padded String
• KM: Key Modifier
PSBLOCKS-1
PS2
PS1
PS0
IK
MESSAGE
IK
IK
KASUMI
IK KM
KASUMI
KASUMI
MAC-I (left 32-bits)
98
SKIP- Ciphering method
LENGTH
BEARER
COUNT-C
CK
COUNT-C
DIRECTION
f8
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK

Sender
(Mobile Station or
Radio Network Controller)
LENGTH
BEARER
DIRECTION
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK

PLAINTEXT
BLOCK
Receiver
(Radio Network Controller
or Mobile Station)
BEARER: radio bearer identifier
COUNT-C: ciphering sequence counter
99
SKIP- f8 keystream generator
COUNT || BEARER || DIRECTION || 0…0
KM: Key Modifier
KS: Keystream
CK
KASUMI
KM
Register
BLKCNT=0
CK
BLKCNT=1
KASUMI
KS[0]…KS[63]
CK
BLKCNT=2
KASUMI
CK
BLKCNT=BLOCKS-1
KASUMI
CK
KASUMI
KS[64]…KS[127] KS[128]…KS[191]
10
0
SKIP- Detail of Kasumi
L0
32
R0
32
64
KL1
32
16
FO1
FO2
Zero-extend
KL2
FL2
S7
KOi,2
FL3
KIi,j,2
KIi,j,1
FO3
KO4, KI4
FO4
KL4
S9
KOi,3
FL4
Zero-extend
KIi,3
FIi3
FL5
truncate
KIi,2
FIi2
KO3 , KI3
KL3
7
S9
KIi,1
FIi1
KO2 , KI2
16
9
KOi,1
KO1 , KI1
FL1
16
KO5 , KI5
KL5
FO5
S7
truncate
KO6 , KI6
FO6
KL6
FL6
Fig. 2 : FO Function
KO7 , KI7
KL7
FL7
Fig. 3 : FI Function
32
FO7
16
16
KLi,1
KO8 , KI8
FO8
<<<
KL8
FL8
KLi,2
<<<
L8
R8
Fig. 4 : FL Function
C
Fig. 1 : KASUMI
Bitwise AND operation
KLi, KOi , KIi : subkeys used at ith round
S7, S9: S-boxes
Bitwise OR operation
<<<
One bit left rotation
10
1
SKIP- Signaling integrity protection method
SIGNALLING MESSAGE
SIGNALLING MESSAGE
FRESH
FRESH
COUNT-I
IK
COUNT-I
DIRECTION
f9
MAC-I
Sender
(MS or
Radio Network Controller)
IK
DIRECTION
f9
XMAC-I
Receiver
(Radio Network Controller
or MS)
FRESH = random input
10
2
SKIP- Protocols – LEAP, EAP-TLS, PEAP, EAPSIM

LEAP (Light EAP)

EAP-TLS (TLS over EAP)

PEAP (Protected EAP)

EAP-SIM
– developed by Cisco
– similar to MS-CHAP extended with session key transport
–
–
–
–
only the TLS Handshake Protocol is used
server and client authentication, generation of master secret
TLS maser secret becomes the session key
mandated by WPA, optional in RSN
– phase 1: TLS Handshake without client authentication
– phase 2: client authentication protected by the secure channel established
in phase 1
– extended GSM authentication in WiFi context
– protocol (simplified) :
STA  AP: EAP res ID ( IMSI / pseudonym )
STA  AP: EAP res ( nonce )
AP: [gets two auth triplets from the mobile operator’s AuC]
AP  STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc )
STA  AP: EAP res ( 2*SRES )
AP  STA: EAP success
103