802.11 Security/Bluetooth

Download Report

Transcript 802.11 Security/Bluetooth

Lecture Notes
2005.10.6. Thursday
http://an.kaist.ac.kr/courses/2005/cs492
Sue B. Moon
From Last Class on AODV
• Waiting time for a response on a RREQ?
– If a route is not received within NET_TRAVERSAL_TIME ms, then a
node may broadcast another RREQ, up to a maximum of
RREQ_RETRIES
– Use exponential backoff for next waiting time:
2 * NET_TRAVERSAL_TIME, 4 * ..., 8 * ...
– A node should not originate more than RREQ_RATELIMIT RREQ
messages per second
– Refer to RFC3561 for further details
• How scalable is the protocol?
– Modifications made for scalability: expanding ring search, query
localization, local repair
– S-J Lee et al., “Scalability Study of the Ad Hoc On-Demand Distance
Vector Routing Protocol,” Int’l Journal on Network Management, MarApr. 2003.
802.11 MAC Frame Format
• Types
– control frames, management frames, data frames
• Sequence numbers
– important against duplicated frames due to lost ACKs
• Addresses
– receiver, transmitter (physical), BSS identifier, sender (logical)
• Miscellaneous
– sending time, checksum, frame control, data
bytes
2
2
6
6
6
2
6
Frame Duration/ Address Address Address Sequence Address
Control
ID
1
2
3
Control
4
bits
2
2
4
1
1
1
1
1
1
1
0-2312
4
Data
CRC
1
Protocol
To From More
Power More
Type Subtype
Retry
WEP Order
version
DS DS Frag
Mgmt Data
MAC Frame Type/Subtype
• Management (00)
– Association/reassociation/probe request/response
– Beacon, ATIM
– Disassocation, authentication/deauthentication
• Control (01)
– Power Save (PS) –poll
– RTS/CTS
– ACK, CF-End, CF-End+CF-Ack
• Data (11)
– Data, Data+CF-Ack, Data+CF-Poll, Data+CF-Ack+CF-Poll
– CF-Ack, CF-Poll, CF-Ack + CF-Poll
Beacon Frame Body
•
•
•
•
•
•
•
•
•
•
Timestamp
Beacon interval
Capability information
SSID
Supported rates
FH Parameter set
DS Parameter set
CF Parameter set: CFPCount/Period/MaxDur ...
IBSS Parameter set
TIM
– DTIM count, DTIM period, Bitmap control, Partial virtual bitmap
Power saving with wake-up patterns
(infrastructure)
TIM interval
access
point
DTIM interval
D B
T
busy
medium
busy
T
d
D B
busy
busy
p
station
d
t
T
TIM
D
B
broadcast/multicast
DTIM
awake
p PS poll
d data transmission
to/from the station
Power-Saving with PCF/DCF
• Superframe = CFP (PCF) + CP (DCF)
Power saving with wake-up patterns
(ad-hoc)
ATIM
window
station1
beacon interval
B1
station2
A
B2
B2
D
a
B1
d
t
B
beacon frame
awake
random delay
a acknowledge ATIM
A transmit ATIM
D transmit data
d acknowledge data
IEEE 802.11 security
• War-driving: drive around Bay area, see what 802.11
networks available?
– More than 9000 accessible from public roadways
– 85% use no encryption/authentication
– packet-sniffing and various attacks easy!
• Securing 802.11
– encryption, authentication
– first attempt at 802.11 security: Wired Equivalent
Privacy (WEP): a failure
– current attempt: 802.11i
Wired Equivalent Privacy (WEP):
• authentication as in protocol ap4.0
– host requests authentication from access point
– access point sends 128 bit nonce
– host encrypts nonce using shared symmetric key
– access point decrypts nonce, authenticates host
• no key distribution mechanism
• authentication: knowing the shared key is enough
WEP data encryption
• Host/AP share 40 bit symmetric key (semi-permanent)
• Host appends 24-bit initialization vector (IV) to create
64-bit key
• 64 bit key used to generate stream of keys, kiIV
• kiIV used to encrypt ith byte, di, in frame:
ci = di XOR kiIV
• IV and encrypted bytes, ci sent in frame
802.11 WEP encryption
IV
(per frame)
KS: 40-bit
secret
symmetric
key
plaintext
frame data
plus CRC
key sequence generator
( for given KS, IV)
k1IV k2IV k3IV … kNIV kN+1IV… kN+1IV
d1
d2
d3 … dN
CRC1 … CRC4
c1
c2
c3 … cN
cN+1 … cN+4
Figure 7.8-new1:
802.11encryption
WEP protocol
Sender-side
WEP
802.11
IV
header
WEP-encrypted data
plus CRC
Breaking 802.11 WEP encryption
Security hole:
• 24-bit IV, one IV per frame, -> IV’s eventually reused
• IV transmitted in plaintext -> IV reuse detected
• Attack:
– Trudy causes Alice to encrypt known plaintext d1 d2 d3
d4 …
– Trudy sees: ci = di XOR kiIV
– Trudy knows ci di, so can compute kiIV
– Trudy knows encrypting key sequence k1IV k2IV k3IV …
– Next time IV is used, Trudy can decrypt!
802.11i: improved security
• numerous (stronger) forms of encryption possible
• provides key distribution
• uses authentication server separate from access
point
802.11i: four phases of operation
STA:
client station
AP: access point
AS:
Authentication
server
wired
network
1 Discovery of
security capabilities
2 STA and AS mutually authenticate, together
generate Master Key (MK). AP servers as “pass through”
3 STA derives
Pairwise Master
Key (PMK)
4 STA, AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity
3 AS derives
same PMK,
sends to AP
EAP: extensible authentication protocol
• EAP: end-end client (mobile) to authentication
server protocol
• EAP sent over separate “links”
– mobile-to-AP (EAP over LAN)
– AP to authentication server (RADIUS over UDP)
wired
network
EAP TLS
EAP
EAP over LAN (EAPoL)
IEEE 802.11
RADIUS
UDP/IP
Network Security (summary)
Basic techniques…...
–
–
–
–
cryptography (symmetric and public)
authentication
message integrity
key distribution
…. used in many different security scenarios
–
–
–
–
secure email
secure transport (SSL)
IP sec
802.11
Acknolwedgements
• Slides on WEP and 802.11 security from:
– Kurose and Ross’s book distribution