AP - grc.upv
Download
Report
Transcript AP - grc.upv
Redes Inalámbricas – Tema 6.
Seguridad
La tecnología 802.11: WEP y el estándar 802.11i
Seguridad en MANET
REDES INALÁMBRICAS
Máster de Ingeniería de Computadores-DISCA
MIC 2009/2010
2
WEP y IEEE802.11i
Wireless LAN Security Issues
Issue
Wireless sniffer can view all WLAN data
packets
Anyone in AP coverage area can get on
WLAN
REDES INALÁMBRICAS
Wireless LAN
(WLAN)
client
802.11 WEP Solution
Encrypt all data transmitted
between client and AP
Without encryption key, user
cannot transmit or receive data
Wired LAN
access point (AP)
Goal: Make WLAN security equivalent to that of wired LANs (Wired Equivalent
Privacy)
MIC 2009/2010
3
WEP y IEEE802.11i
WEP – Protection for 802.11b
Wired Equivalent Privacy
No worse than what you get with wire-based systems.
Criteria:
“Reasonably strong”
Self-synchronizing – stations often go in and out of coverage
Computationally efficient – in HW or SW since low MIPS CPUs might be used
Exportable – US export codes (relaxed in Jan 2000 / “Wassenaar Arrangement”)
Optional – not required to used it
Objectives:
REDES INALÁMBRICAS
confidentiality
integrity
authentication
MIC 2009/2010
4
WEP y IEEE802.11i
WEP – How It Works
Secret key (40 bits or 104 bits)
can use up to 4 different keys
Initialization vector (24 bits, by IEEE std.)
total of 64 or 128 bits “of protection.”
RC4-based pseudo random number generator (PRNG)
Integrity Check Value (ICV): CRC 32
REDES INALÁMBRICAS
Frame header
IV
(4 bytes)
Init Vector
(3 bytes)
Data (PDU)
( 1 byte)
1 byte
Pad
6 bits
Key ID
2 bits
ICV
(4 bytes)
FCS
MIC 2009/2010
5
WEP y IEEE802.11i
WEP Encryption Process
1) Compute ICV using CRC-32 over plaintext msg.
2) Concatenate ICV to plaintext message.
3) Choose random IV and concat it to secret key and input it to RC4 to
produce pseudo random key sequence.
4) Encrypt plaintext + ICV by doing bitwise XOR with key sequence to
produce ciphertext.
5) Put IV in front of cipertext.
Initialization
Vector (IV)
REDES INALÁMBRICAS
Secret Key
Seed
WEP PRNG
Key
Sequence
Plaintext
Integrity Algorithm
Integrity Check Value (ICV)
IV
Ciphertext
Message
MIC 2009/2010
6
WEP y IEEE802.11i
WEP Decryption Process
1) IV of message used to generate key sequence, k.
2) Ciphertext XOR k original plaintext + ICV.
3) Verify by computing integrity check on plaintext (ICV’) and comparing
to recovered ICV.
4) If ICV ICV’ then message is in error; send error to MAC
management and back to sending station.
Secret Key
REDES INALÁMBRICAS
IV
Message
Ciphertext
WEP PRNG
Key
Sequence
Plaintext
Seed
Integrity Algorithm
ICV’
ICV
ICV’ - ICV
MIC 2009/2010
7
WEP y IEEE802.11i
WEP Station Authentication
Wireless Station (WS) sends
Authentication Request to Access Point
(AP).
AP sends (random) challenge text T.
WS sends challenge response (encrypted
T).
AP sends ACK/NACK.
WS
Challenge Text
Challenge Response
Shared WEP Key
Authentication Request
Ack
REDES INALÁMBRICAS
Challenge
ENC
Client
SharedKey
{Challenge}
Success/Failure
Auth. Req.
AP
AP
Access Point
MIC 2009/2010
8
WEP y IEEE802.11i
WEP Weaknesses
Forgery Attack
Packet headers are unprotected, can fake src and dest addresses.
AP will then decrypt data to send to other destinations.
Can fake CRC-32 by flipping bits.
Replay
Can eavesdrop and record a session and play it back later.
Collision (24 bit IV; how/when does it change?)
Sequential: roll-over in < ½ day on a busy net
Random: After 5000 packets, > 50% of reuse.
Weak Key
REDES INALÁMBRICAS
If ciphertext and plaintext are known, attacker can determine key.
Certain RC4 weak keys reveal too many bits. Can then determine RC4 base key.
Well known attack described in Fluhrer/Mantin/Shamir paper
“Weaknesses in the Key Scheduling Algorithm of RC4”, Scott Fluhrer, Itsik Mantin,
and Adi Shamir
using AirSnort: http://airsnort.shmoo.com/
Also: WEPCrack
http://wepcrack.sourceforge.net/
MIC 2009/2010
9
WEP y IEEE802.11i
Ways to Improve Security with WEP
Use WEP(!)
Change wireless network name from
default
any, 101, tsunami
Turn on closed group feature, if available
in AP
Turns off beacons, so you must know
name of the wireless network
MAC access control table in AP
Use Media Access Control address of
wireless LAN cards to control access
Use Radius support if available in AP
REDES INALÁMBRICAS
Define user profiles based on user name
and password
War Driving in New Orleans
(back in December 2001)
Equipment
Laptop, wireless card, software
GPS, booster antenna (optional)
Results
64 Wireless LAN’s
Only 8 had WEP Enabled (12%)
62 AP’s & 2 Peer to Peer Networks
25 Default (out of the box) Settings
(39%)
29 Used The Company Name For
ESSID (45%)
10
MIC 2009/2010
War Driving
Locating wireless access points while in motion
http://www.wardrive.net/
Adversarial Tools
REDES INALÁMBRICAS
Laptop with wireless adapter
External omni-directional antenna
Net Stumbler or variants http://www.netstumbler.com/
GPS
With GPS Support
Send constant probe requests
REDES INALÁMBRICAS
MIC 2009/2010
11
WEP y IEEE802.11i
War Driving in New Orleans
(back in December 2001)
12
MIC 2009/2010
REDES INALÁMBRICAS
Quick and dirty 802.11 Security Methods
SSID Closed mode
MAC layer security
MIC 2009/2010
13
Quick and dirty Security Methods:
Closed Mode of Operation
Hide SSID
All devices in a WLAN have to have same SSID to communicate
SSID is not released
REDES INALÁMBRICAS
Beacon messages are removed
Client has to know exact SSID to connect
Make active scanning, send probe request
14
MIC 2009/2010
Attacking to 802.11 Closed Mode
Client Connection
Disassociate
Client
Impersonate AP
REDES INALÁMBRICAS
Client sends Probe Request which includes SSID in clear
Capture Probe Request Packets
for SSID information
AP
15
MIC 2009/2010
Man-in-the-middle Attack
Application
Server
AP
Access Point
Client
REDES INALÁMBRICAS
Impersonate AP
to the client
Impersonate Client
to the AP
Wired Network
16
MIC 2009/2010
REDES INALÁMBRICAS
Quick and dirty 802.11 Security Methods
SSID Closed mode
MAC layer security
17
MIC 2009/2010
Quick and dirty security Methods: MAC Layer Security
Based on MAC addresses
MAC filters
Allow associate of a MAC
Deny associate of a MAC
Wired Network
?
REDES INALÁMBRICAS
MAC: 00:05:30:AA:AA:AA
MAC: 00:05:30:BB:CC:EE
18
MIC 2009/2010
Bypass MAC Filters: MAC Spoofing
Wired Network
AP
Access Point
Legitimate Client
802.11
1
Application Server
Probe Request
Probe Respond
Authentication Request
Authentication Respond
Association Request
Association Response
Disassociate
Access to Network
REDES INALÁMBRICAS
Monitor
Set MAC address of Legitimate Client by
using SMAC or variants
2
Association Request
Association Response
Access to Network
3
4
5
19
MIC 2009/2010
Rouge AP
Install fake AP and web server software
Convince wireless client to:
Disassociate from legitimate AP
Associate to fake AP
Bring similar web application to user to collect passwords
Adversarial tools:
Any web server running on Unix or MS environments
Fake AP (http://www.blackalchemy.to/project/fakeap/)
REDES INALÁMBRICAS
AP
Wired Network
Reconnect
to louder AP
Run fake
• AP software
• Web Server
Application Server:
i.e. Web Server
20
MIC 2009/2010
IEEE 802.11i: Introducción
Las redes inalámbricas 802.11 siguen teniendo la fama de inseguras
Desde el año 2004 se cuenta con el estándar 802.11i, que
proporciona una alta seguridad a este tipo de redes
no hay descrito ningún ataque efectivo sobre WPA2 en modo infraestructura
(correctamente configurado)
WEP dejó de ser una opción a partir del año 2001
¡pero seguimos burlándonos de él!
ya no forma parte del estándar 802.11 (su uso está desaprobado por el añadido
802.11i
REDES INALÁMBRICAS
La tecnología actual permite redes Wi-Fi seguras
21
MIC 2009/2010
Cronología de la seguridad en 802.11
802.11a
802.11
802.11b
1997
1999
2001
REDES INALÁMBRICAS
Wi-Fi
WEP
802.11g
802.11i
2003
2004
WPA
WPA2
22
MIC 2009/2010
¿En qué falló WEP?
utiliza una única clave secreta para todo: autenticación,
confidencialidad
y se usa en todos los dispositivos y durante todo el tiempo
la gestión de las claves es manual
la autenticación es sólo para el dispositivo cliente
no se autentica al usuario, ni se autentica la red
el IV es demasiado pequeño y la forma de usarlo debilita el protocolo
la integridad no funciona (CRC no es un buen código)
REDES INALÁMBRICAS
y no incluye las direcciones fuente y destino
23
MIC 2009/2010
REDES INALÁMBRICAS
¿Qué podemos hacer?
No intentar resolverlo todo de una
Buscar los protocolos adecuados para cada funcionalidad
Permitir la gestión automática de las claves de cifrado
Cambiar frecuentemente las claves, obteniéndolas automáticamente
Autenticar al usuario, no al dispositivo
Autenticar a la red (también hay redes ‘malas’)
Utilizar protocolos robustos de autenticación, integridad y
confidencialidad
24
MIC 2009/2010
Primera aproximación: 802.1X
Control de acceso basado en el puerto de
red:
una vez autenticada y asociada una
estación, no se le da acceso a la red
hasta que no se autentique
correctamente el usuario
Componentes: suplicante, autenticador
y servidor de autenticación
Utiliza EAP como marco de autenticación
EAP permite el uso de distintos
protocolos
de autenticación: MD5, MS-CHAPv2, …
REDES INALÁMBRICAS
La utilización de un método criptográfico
en la autenticación permite generar claves
secretas
también se pueden distribuir de manera
segura
25
MIC 2009/2010
Métodos EAP (1)
Los métodos EAP en redes Wi-Fi han de cumplir:
protección de las credenciales de usuario
autenticación mutua usuario red
derivación de claves
Solución: emplear un túnel TLS
el servidor se autentica con certificado digital
las credenciales viajan protegidas
TLS genera una clave maestra
¿Qué servidor autentica? RADIUS
REDES INALÁMBRICAS
trabaja con distintas Bases de Datos de usuario
permite la escalabilidad mediante una jerarquía de servidores (en árbol)
26
MIC 2009/2010
Métodos EAP (2)
Los más habituales en Wi-Fi:
EAP-TLS
se utilizan certificados digitales en ambos extremos
EAP-TTLS (Tunneled TLS)
en una primera fase se establece un túnel TLS a partir del certificado digital del
servidor
en la segunda fase se utiliza cualquier otro método de autenticación (protegido
por el túnel). Ej.: PAP, MD5, …
EAP-PEAP (Protected EAP)
equivalente a TTLS, pero sólo emplea métodos EAP para la segunda fase: TLS,
MS-CHAP-V2, …
REDES INALÁMBRICAS
Si se emplean dos fases:
identidad anónima en la autenticación externa (dominio)
identidad real en la autenticación interna
27
MIC 2009/2010
El servicio RADIUS
Permite autenticar a los usuarios que establecen conexiones remotas u
802.1X
Es capaz de trabajar con distintos repositorios de cuentas de usuario
el Directorio Activo de Windows, LDAP, ficheros, …
Si el usuario no pertenece a su dominio lanza la petición a su ‘padre’
en la jerarquía RADIUS
en los métodos que utilizan dos fases se emplea la identidad externa para redirigir
la petición
REDES INALÁMBRICAS
Los canales cifrados (túneles TLS) se establecen entre el suplicante y
el RADIUS final que atiende la petición
REDES INALÁMBRICAS
MIC 2009/2010
28
Jerarquía RADIUS
29
MIC 2009/2010
Primera solución: WPA
Mientras en el IEEE se trabaja en el nuevo estándar 802.11i, las
debilidades de WEP exigen protocolos de cifrado en niveles superiores
a la capa de enlace
La industria es reacia a adoptar las redes 802.11
El consorcio Wi-Fi Alliance decide sacar el estándar comercial WPA
(Wi-Fi Protected Access)
Se basa en un borrador del estándar 802.11i y es un subconjunto del
mismo
compatible hacia delante
REDES INALÁMBRICAS
Soluciona todos los problemas que plantea WEP con medidas válidas a
medio plazo
30
MIC 2009/2010
La confidencialidad en WPA: TKIP
TKIP (Temporal Key Integrity Protocol) es el protocolo de cifrado
diseñado para sustituir a WEP reutilizando el hardware existente
Forma parte del estándar 802.11i
aunque se considera un protocolo ‘a desaprobar’
Entre sus características:
REDES INALÁMBRICAS
utiliza claves maestras de las que se derivan las claves
el IV se incrementa considerablemente (de 24 a 48 bits)
cada trama tiene su propia clave RC4
impide las retransmisiones de tramas antiguas
comprueba la integridad con el algoritmo Michael
no ofrece la máxima seguridad, pero incorpora contramedidas ante los
ataques (desconexión 60 s y generación de claves)
31
MIC 2009/2010
¿Cómo se configura WPA?
Autenticación 802.11 abierta
Autenticación 802.1X (en modo infraestructura)
Métodos EAP con túnel TLS
identidad externa anónima, si es posible
Restricción de los servidores RADIUS aceptados
Cifrado: TKIP
¿Y si estamos en un entorno SOHO?
REDES INALÁMBRICAS
no hay servidores RADIUS
no podemos autenticar al usuario como hasta ahora
no podemos generar la clave maestra
utilizamos una clave pre-compartida entre todos ¡!
32
MIC 2009/2010
La solución definitiva: 802.11i = WPA2
El protocolo CCMP ofrece el cifrado (mediante AES) y la protección de
integridad
se considera el algoritmo de cifrado más seguro hoy en día (no se ha ideado
ningún ataque contra el mismo)
necesita soporte hardware para no penalizar
aunque se han incorporado mejoras en el diseño para hacerlo más eficiente
Se establece el concepto RSN: Robust Security Networks
REDES INALÁMBRICAS
aquellas en las que todas las asociaciones entre dos dispositivos son de tipo RSNA
intercambio de claves con un 4-Way Handshake
33
MIC 2009/2010
Asociaciones de tipo RSNA
Una vez que el usuario se ha autenticado ante el RADIUS, ambos han
generado una clave maestra
El RADIUS le proporciona esta clave al AP
El punto de acceso y el cliente realizan un diálogo (con 4 mensajes) en
el que:
comprueban que el otro tiene en su poder la clave maestra
sincronizan la instalación de claves temporales
confirman la selección de los protocolos criptográficos
Las claves temporales son de dos tipos:
REDES INALÁMBRICAS
para el tráfico unicast (estación AP)
para el tráfico multicast y broadcast (AP estaciones)
34
MIC 2009/2010
¿Cómo se configura WPA2?
Autenticación 802.11 abierta
Autenticación 802.1X (en modo infraestructura)
Métodos EAP con túnel TLS
identidad externa anónima, si es posible
Restricción de los servidores RADIUS aceptados
Cifrado: AES
¿Y si estamos en un entorno SOHO?
REDES INALÁMBRICAS
utilizamos una clave pre-compartida entre todos
esta clave sirve de autenticación
esta es la clave maestra a partir de la que generar el resto
LA PALABRA DE PASO HA DE TENER MÁS DE 20 CARACTERES
35
MIC 2009/2010
WPA y WPA2
WPA puede ejecutarse con todo el hardware que soportase WEP (sólo
necesita una actualización de firmware)
WPA2 necesita hardware reciente (2004 )
WPA acabará siendo comprometido a medio plazo y sólo se
recomienda como transición a WPA2
Algunos AP permiten emplear un modo mixto que acepta tanto
clientes WPA como clientes WPA2 en la misma celda
REDES INALÁMBRICAS
hay una pequeña degradación en las claves de grupo
(este modo nos ha dado problemas con algunas PDA)
36
MIC 2009/2010
Pre-autenticación 802.1X
El proceso de establecer la asociación y generar las claves es costoso y
puede afectar a la movilidad
La pre-autenticación consiste en establecer el contexto de seguridad
con un AP mientras se está asociado a otro
El tráfico entre la estación y el nuevo AP viaja por la red cableada
Cuando, finalmente, se produce el roaming, el cliente indica que ya
está hecha la asociación inicial
REDES INALÁMBRICAS
Sólo disponible en WPA2 (excluido en WPA)
37
MIC 2009/2010
Soporte 802.11i en los S. Operativos
Windows Mobile
¡Cada PDA es un mundo!
Incluye el suplicante 802.1X
Soporta sólo WPA (cifrado TKIP)
métodos EAP: EAP-TLS y EAP-PEAP/MS-CHAP-V2
REDES INALÁMBRICAS
Windows XP SP2
Incluye el suplicante 802.1X
Soporta WPA (de fábrica). Se puede aplicar la actualización a WPA2 (si la tarjeta lo
soporta)
esta actualización no se aplica a través de Windows Update
métodos EAP: EAP-TLS y EAP-PEAP/MS-CHAP-V2
permite restringir los servidores RADIUS aceptados
almacena en caché las credenciales del usuario ¡siempre!
38
MIC 2009/2010
Soporte 802.11i en los S. Operativos
Windows Vista
REDES INALÁMBRICAS
Incluye el suplicante 802.1X
Soporta WPA y WPA2
métodos EAP: EAP-TLS y EAP-PEAP/MS-CHAP-V2
incorpora una API (EAPHost) que permite desarrollar nuevos suplicantes y nuevos
métodos EAP
permite restringir los servidores RADIUS aceptados
permite elegir si se almacenan o no, en caché, las credenciales del usuario
Permite definir perfiles de conexión para configurar las redes inalámbricas sin la
intervención del usuario
incluso con opciones que no podrá modificar
Informa de la seguridad de las redes disponibles
39
MIC 2009/2010
REDES INALÁMBRICAS
Soporte 802.11i en los S. Operativos
Linux
Dependiendo de la distribución puede incluir o no el suplicante 802.1X
Se recomienda utilizar wpa-supplicant y Network Manager para la configuración
Soporta WPA y WPA2
admite la mayoría de métodos EAP: EAP-TLS, EAP-TTLS/PAP, EAP-PEAP/MS-CHAPV2, …
permite restringir los servidores RADIUS aceptados
permite elegir si se almacenan o no, en caché, las credenciales del usuario
la configuración puede ser a través de ficheros o mediante la interfaz gráfica
40
MIC 2009/2010
eduroam
Es una iniciativa a nivel internacional que permite la movilidad de sus
miembros de manera ‘transparente’
con la misma configuración de la red inalámbrica se puede conectar un usuario en
cualquier institución adherida a eduroam
la autenticación del usuario la hace siempre la institución de origen (con seguridad
en el tránsito de credenciales)
es sencillo detectar si tenemos soporte para eduroam: el SSID es eduroam
Más información:
http://www.eduroam.es, http://eduroam.upv.es
REDES INALÁMBRICAS
Atención: el cifrado puede ser distinto en cada red
REDES INALÁMBRICAS
MIC 2009/2010
41
eduroam en Europa
42
MIC 2009/2010
La red inalámbrica en la UPV
REDES INALÁMBRICAS
http://wifi.upv.es
Redes Inalámbricas – Tema 6.
Seguridad
La tecnología 802.11: WEP y el estándar 802.11i
Seguridad en MANET
REDES INALÁMBRICAS
Máster de Ingeniería de Computadores-DISCA
44
MIC 2009/2010
Routing security vulnerabilities
Wireless medium is easy to snoop on
Due to ad hoc connectivity and mobility, it is hard to guarantee access
to any particular node (for instance, to obtain a secret key)
Easier for trouble-makers to insert themselves into a mobile ad hoc
network (as compared to a wired network)
Open medium
Dynamic topology
Distributed cooperation
(absence of central authorities)
Constrained capability
REDES INALÁMBRICAS
(energy)
45
MIC 2009/2010
Securing Ad Hoc Networks
Definition of “Attack” RFC 2828 — Internet Security Glossary :
“ An assault on system security that derives from an intelligent threat, i.e., an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of the
system.”
REDES INALÁMBRICAS
Goals
Availability: ensure survivability of the network despite denial of service attacks.
The DoS can be targeted at any layer
Confidentiality: ensures that certain information is not disclosed to unauthorized
entities. Eg Routing information information should not be leaked out because it
can help to identify and locate the targets
Integrity: guarantee that a message being transferred is never corrupted.
Authentication: enables a node to ensure the identity of the nodes communicating.
Non-Repudiation: ensures that the origin of the message cannot deny having sent
the message
46
MIC 2009/2010
Routing attacks
Classification:
External attack vs. Internal attack
External: Intruder nodes can pose to be a part of the network injecting erroneous
routes, replaying old information or introduce excessive traffic to partition the
network
Internal: The nodes themselves could be compromised. Detection of such nodes is
difficult since compromised nodes can generate valid signatures.
Passive attack vs. Active attack
REDES INALÁMBRICAS
Passive attack: “Attempts to learn or make use of information from the system but
does not affect system resources” (RFC 2828)
Active attack: “Attempts to alter system resources or affect their operation” (RFC
2828)
47
MIC 2009/2010
Normal Flow
REDES INALÁMBRICAS
Information
source
Information
destination
48
MIC 2009/2010
Passive Attacks
Sniffer
Passive attacks
REDES INALÁMBRICAS
Interception (confidentiality)
Release of message contents
Traffic analysis
49
MIC 2009/2010
Sniffers
All machines on a network can “hear” ongoing traffic
A machine will respond only to data addressed specifically to it
Network interface: “promiscuous mode” – able to capture all frames
transmitted on the local area network segment
Risks of Sniffers:
REDES INALÁMBRICAS
Serious security threat
Capture confidential information
Authentication information
Private data
Capture network traffic information
50
MIC 2009/2010
Interception
REDES INALÁMBRICAS
Information
source
Information
destination
Unauthorized party gains access to the asset –
Confidentiality
Example: wiretapping, unauthorized copying of files
51
MIC 2009/2010
Passive attacks
Release of message contents
Intruder is able to interpret and extract information being transmitted
Highest risk: authentication information
Can be used to compromise additional system resources
Traffic analysis
REDES INALÁMBRICAS
Intruder is not able to interpret and extract the transmitted information
Intruder is able to derive (infer) information from the traffic characteristics
52
MIC 2009/2010
Protection against passive attacks
Shield confidential data from sniffers: cryptography
Disturb traffic pattern:
Traffic padding
Onion routing
REDES INALÁMBRICAS
Modern switch technology: network traffic is directed to the
destination interfaces
Detect and eliminate sniffers
53
MIC 2009/2010
Active attacks
Active attacks
REDES INALÁMBRICAS
Interruption
(availability)
Modification
(integrity)
Fabrication
(integrity)
54
MIC 2009/2010
Interruption
REDES INALÁMBRICAS
Information
source
Information
destination
Asset is destroyed or becomes unavailable - Availability
Example: destruction of hardware, cutting communication
line, disabling file management system, etc.
55
MIC 2009/2010
Denial of service attack
Adversary floods irrelevant data
Consume network bandwidth
Consume resource of a particular node
E-mail bombing attack: floods victim’s mail with large bogus messages
Popular
Free tools available
Smurf attack:
REDES INALÁMBRICAS
Attacker multicast or broadcast an Internet Control Message Protocol (ICMP) with
spoofed IP address of the victim system
Each receiving system sends a respond to the victim
Victim’s system is flooded
56
MIC 2009/2010
TCP SYN flooding
Server: limited number of allowed half-open connections
Backlog queue:
Existing half-open connections
Full: no new connections can be established
Time-out, reset
Attack:
Attacker: send SYN requests to server with IP source that unable to response to
SYN-ACK
Server’s backlog queue filled
No new connections can be established
Keep sending SYN requests
REDES INALÁMBRICAS
Does not affect
Existing or open incoming connections
Outgoing connections
57
MIC 2009/2010
Protection against DoS, DDoS
Hard to provide full protection
Some of the attacks can be prevented
Filter out incoming traffic with local IP address as source
Avoid established state until confirmation of client’s identity
REDES INALÁMBRICAS
Internet trace back: determine the source of an attack
58
MIC 2009/2010
Modification
REDES INALÁMBRICAS
Information
source
Information
destination
Unauthorized party tampers with the asset – Integrity
Example: changing values of data, altering programs,
modify content of a message, etc.
59
MIC 2009/2010
Attacks using modification
Attacks using modification
Idea:
Malicious node announces better routes than the other nodes in order to be
inserted in the ad-hoc network
How ?
REDES INALÁMBRICAS
Redirection by changing the route sequence number
Redirection with modified hop count
Denial Of Service (DOS) attacks
Modify the protocol fields of control messages
Compromise the integrity of routing computation
Cause network traffic to be dropped, redirected to a different destination or take a
longer route
60
MIC 2009/2010
Attacks using modification
Redirection with modified hop count:
- The node C announces to B a path with a metric value of one
- The intruder announces to B a path with a metric value of one too
- B decides which path is the best by looking into the hop count value of each
route
Node C
Metric 1 and 3 hops
REDES INALÁMBRICAS
Node A
Node B
Node D
Metric 1 and 1 hop
Intruder
61
MIC 2009/2010
REDES INALÁMBRICAS
Attacks using modification
Denial Of Service (DOS) attacks with modified source routes:
A malicious node is inserted in the network
The malicious node changes packet headers it receives
The packets will not reach the destination:
The transmission is aborted
Node A sends packets
with header: (route cache
to reach node E)
Intruder I decapsulates
packets, change the
header:
A-B-I-C-D-E
A-B-I-C-E
Node A
Node B
Intruder I
Node C has no direct
route with E, also the
packets are dropped
Node C
Node D
Node E
62
MIC 2009/2010
Fabrication
REDES INALÁMBRICAS
Information
source
Information
destination
Unauthorized party insets counterfeit object into the system
– Authenticity
Example: insertion of offending messages, addition of records
to a file, etc.
63
MIC 2009/2010
Attacks using fabrication
Attacks using fabrication
Idea:
Generates traffic to disturb the good operation of an ad-hoc network
How ?
Falsifying route error messages
REDES INALÁMBRICAS
Corrupting routing state
Routing table overflow attack
Replay attack
Black hole attack
64
MIC 2009/2010
REDES INALÁMBRICAS
Attacks using fabrication
Falsifying route error messages:
When a node moves, the closest node sends “error” message to the others
A malicious node can usurp the identity of another node (e.g. By using spoofing)
and sends error messages to the others
The other nodes update their routing tables with these bad information
The “victim” node is isolated
65
MIC 2009/2010
REDES INALÁMBRICAS
Attacks using fabrication
Corrupting routing state:
In DSR, routes can be learned from promiscuously received packets
A node should add the routing information contained in each packet’s header it
overhears
A hacker can easily broadcast a message with a spoofed IP address such as the
other nodes add this new route to reach a special node S
It’s the malicious node which will receive the packets intended to S.
66
MIC 2009/2010
REDES INALÁMBRICAS
Attacks using fabrication
Routing table overflow attack:
Available in “pro-active” protocols.
These protocols try to find routing information before they are needed
A hacker can send in the network a lot of route to non-existent nodes until
overwhelm the protocol
67
MIC 2009/2010
Attacks using fabrication
Replay attack:
A hacker sends old advertisements to a node
The node updates its routing table with stale routes
Black hole attack:
REDES INALÁMBRICAS
A hacker advertises a zero metric route for all destinations
All the nodes around it will route packets towards it
68
MIC 2009/2010
REDES INALÁMBRICAS
Attacks using impersonation
Attacks using impersonation
Idea :
Usurpates the identity of another node to perform changes
How ?
Spoofing MAC address of other nodes
69
MIC 2009/2010
Attacks using impersonation
Forming loops by spoofing MAC address:
A malicious node M can listen all the nodes when the others nodes can only listen
their closest neighbors
Node M first changes its MAC address to the MAC address of the node A
Node M moves closer to node B than node A is, and stays out of range of node A
Node M announces node B a shorter path to reach X than the node D gives
A
C
M
REDES INALÁMBRICAS
B
D
E
X
70
MIC 2009/2010
Attacks using impersonation
Forming loops by spoofing MAC address:
Node B changes its path to reach X
Packets will be sent first to node A
Node M moves closer to node D than node B is, and stays out of range of node B
Node M announces node D a shorter path to reach X than the node E gives
A
C
REDES INALÁMBRICAS
M
B
D
E
X
71
MIC 2009/2010
Attacks using impersonation
Forming loops by spoofing MAC address:
Node D changes its path to reach X
Packets will be sent first to node B
X is now unreachable because of the loop formed
A
C
M
REDES INALÁMBRICAS
B
D
E
X
72
MIC 2009/2010
REDES INALÁMBRICAS
Other Routing attacks
Attacks for routing:
Wormhole attack (tunneling)
Invisible node attack
The Sybil attack
Rushing attack
Non-cooperation
73
MIC 2009/2010
Wormhole attack
Colluding attackers uses “tunnels” between them to forward packets
Place the attacker in a very powerful position
The attackers take control of the route by claiming a shorter path
tunnel
M
N
REDES INALÁMBRICAS
D
C
S
A
B
74
MIC 2009/2010
Invisible node attack
Attack on DSR
Malicious does not append its IP address
M becomes “invisible” on the path
REDES INALÁMBRICAS
S
B
M
C
D
75
MIC 2009/2010
The Sybil attack
Represents multiple identities
Disrupt geographic and multi-path routing
B
M1
M5
REDES INALÁMBRICAS
M2
M3
M4
76
MIC 2009/2010
REDES INALÁMBRICAS
Rushing attack
Directed against on-demand routing protocols
The attacker hurries route request packet to the next node to increase
the probability of being included in a route
77
MIC 2009/2010
REDES INALÁMBRICAS
Non-cooperation
Node lack of cooperation, not participate in routing or packet
forwarding
Node selfishness, save energy for itself
Redes Inalámbricas – Tema 6.
Seguridad
La tecnología 802.11: WEP y el estándar 802.11i
Seguridad en MANET
Algunas soluciones
REDES INALÁMBRICAS
Máster de Ingeniería de Computadores-DISCA
79
MIC 2009/2010
TESLA Overview
Broadcast authentication protocol used here for authenticating routing
messages
Efficient and adds only a single message authentication code (MAC) to a message
Requires asymmetric primitive to prevent others from forging MAC
REDES INALÁMBRICAS
TESLA achieves asymmetry through clock synchronization and delayed
key disclosure
80
MIC 2009/2010
TESLA Overview (cont.)
1.
2.
3.
REDES INALÁMBRICAS
4.
Each sender splits the time into intervals
It then chooses random initial key (KN)
Generates one-way key chain through repeated use of a one-way hash
function (generating one key per time interval)
KN-1=H[KN], KN-2=H[KN-1]…
These keys are used in reverse order of generation
The sender discloses the keys based on the time intervals
81
MIC 2009/2010
TESLA Overview (cont.)
Sender attaches MAC to each packet
Computed over the packet’s contents
Sender determines time interval and uses corresponding value from one-way key
chain
With the packet, the sender also sends the most recent disclosable one-way chain
value
Receiver knows the key disclosing schedule
Checks that the key used to compute the MAC is still secret by determining that
the sender could not have disclosed it yet
As long as the key is still secret, the receiver buffers the packet
REDES INALÁMBRICAS
When the key is disclosed, receiver checks its correctness (through
self-authentication) and authenticates the buffered packets
82
MIC 2009/2010
Assumptions
Of the network
Network links are bidirectional
The network may drop, corrupt, reorder or duplicate packets
Each node must be able to estimate the end-to-end transmission time to any other
node in the network
Disregard physical attacks and Medium Access Control attacks
Of the nodes
REDES INALÁMBRICAS
Resources of nodes may vary greatly, so Ariadne assumes constrained nodes
All nodes have loosely synchronized clocks
83
MIC 2009/2010
REDES INALÁMBRICAS
Security Assumptions
Three authentication mechanism possibilities:
Pairwise secret keys (requires n(n+1)/2 keys)
TESLA (shared keys between all source-destination pairs)
Digital signatures (requires powerful nodes)
84
MIC 2009/2010
Key Setup
Shared secret keys
Key distribution center
Bootstrapping from a Public Key Infrastructure
Pre-loading at initialization
Initial TESLA keys
REDES INALÁMBRICAS
Embed at initialization
Assume PKI and embed Certifications Authority’s public key at each node
85
MIC 2009/2010
REDES INALÁMBRICAS
Ariadne Overview
Authenticate routing messages using one of:
Shared secrets between each pair of nodes
Avoids need for synchronization
Shared secrets between communicating nodes combined with broadcast
authentication
Requires loose time synchronization
Allows additional protocol optimizations
Digital signatures
86
MIC 2009/2010
REDES INALÁMBRICAS
Ariadne Notation
A and B are principals (e.g., communicating nodes)
KAB and KBA are secret MAC keys shared between A and B
MACKAB(M) is computation of MAC of message M using key KAB
87
MIC 2009/2010
Route Discovery
Assume sender and receiver share secret (non-TESLA) keys for
message authentication
Target authenticates ROUTE REQUESTS
Initiator includes a MAC computed with end-to-end key
Target verifies authenticity and freshness of request using shared key
Data authentication using TESLA keys
REDES INALÁMBRICAS
Each hop authenticates new information in the REQUEST
Target buffers REPLY until intermediate nodes release TESLA keys
TESLA security condition is verified at the target
Target includes a MAC in the REPLY to certify the condition was met
Attacker can remove a node from node list in a REQUEST
One-way hash functions verify that no hop was omitted (per-hop
hashing)
88
MIC 2009/2010
Route Discovery (cont.)
Assume all nodes know an authentic key of the TESLA one-way key chain of
every other node
Securing ROUTE REQUEST
REDES INALÁMBRICAS
Target can authenticate the sender (using their additional shared key)
Initiator can authenticate each path entry using intermediate TESLA keys
No intermediate node can remove any other node in the REQUEST or REPLY
89
MIC 2009/2010
REDES INALÁMBRICAS
Route Discovery (cont.)
Upon receiving ROUTE REQUEST, a node:
Processes the request only if it is new
Processes the request only if the time interval is valid (not too far in the future,
but not for an already disclosed TESLA key)
Modifies the request and rebroadcasts it
Appends its address to the node list, replaces the hash chain with H[A, hash
chain], appends MAC of entire REQUEST to MAC list using KAi where i is the
index for the time interval specified in the REQUEST
90
MIC 2009/2010
REDES INALÁMBRICAS
Route Discovery (cont.)
When the target receives the route request:
Checks the validity of the REQUEST (determining that the keys from the time
interval have not been disclosed yet and that hash chain is correct)
Returns ROUTE REPLY containing eight fields
ROUTE REPLY, target, initiator, time interval, node list, MAC list
target MAC: MAC computed over above fields with key shared between target
and initiator
key list: disclosable MAC keys of nodes along the path
91
MIC 2009/2010
REDES INALÁMBRICAS
Route Discovery (cont.)
Node forwarding ROUTE REPLY
Waits until it can disclose TESLA key from specified interval
Appends that key to the key list
This waiting does delay the return of the ROUTE REPLY but does not consume
extra computational power
92
MIC 2009/2010
REDES INALÁMBRICAS
Route Discovery (cont.)
When initiator receives ROUTE REPLY
Verifies each key in the key list is valid
Verifies that the target MAC is valid
Verifies that each MAC in the MAC list is valid using the TESLA keys
93
MIC 2009/2010
Route Maintenance
Based on DSR
Node forwarding a packet to the next hop returns a ROUTE ERROR to the original
sender
REDES INALÁMBRICAS
Prevent unauthorized nodes from sending errors, we require errors to
be authenticated by the sender
94
MIC 2009/2010
Route Maintenance
Errors are propagated just as regular data packets
Intermediate nodes remove routes that use the bad link
Sending node continues to send data packets along the route until
error is validated
REDES INALÁMBRICAS
Generates additional errors, which are all cleaned up when the error is finally
validated
95
MIC 2009/2010
Anonymous Communication
Sometimes security requirement may include anonymity
Availability of an authentic key is not enough to prevent traffic analysis
REDES INALÁMBRICAS
We may want to hide the source or the destination of a packet, or
simply the amount of traffic between a given pair of nodes
96
MIC 2009/2010
Traffic Analysis
Traditional approaches for anonymous communication, for instance,
based on MIX nodes or dummy traffic insertion, can be used in
wireless ad hoc networks as well
REDES INALÁMBRICAS
However, it is possible to develop new approaches considering the
broadcast nature of the wireless channel
97
MIC 2009/2010
Mix Nodes
Mix nodes can reorder packets from different flows, insert dummy
packets, or delay packets, to reduce correlation between packets in
and packets out
G
D
REDES INALÁMBRICAS
C
M1
B
A
M3
M2
E
F
98
MIC 2009/2010
Mix Nodes
Node A wants to send message M to node G. Node A chooses 2 Mix
nodes (in general n mix nodes), say, M1 and M2
G
D
REDES INALÁMBRICAS
C
M1
B
A
M3
M2
E
F
99
MIC 2009/2010
Mix Nodes
Node A transmits to M1
message K1(R1, K2(R2, M))
where Ki() denotes encryption using public key Ki of Mix i, and Ri is a
random number
G
D
REDES INALÁMBRICAS
C
M1
B
A
M3
M2
E
F
100
MIC 2009/2010
Mix Nodes
M1 recovers K2(R2,M) and send to M2
G
D
REDES INALÁMBRICAS
C
M1
B
A
M3
M2
E
F
101
MIC 2009/2010
Mix Nodes
M2 recovers M and sends to G
G
D
REDES INALÁMBRICAS
C
M1
B
A
M3
M2
E
F
102
MIC 2009/2010
Mix Nodes
If M is encrypted by a secret key, no one other than G or A can
know M
REDES INALÁMBRICAS
Since M1 and M2 “mix” traffic, observers cannot determine the
source-destination pair without compromising M1 and M2 both
103
MIC 2009/2010
Alternative Mix Nodes
Suppose A uses M2 and M3
Need to take fewer hops
(not M1 and M2)
Choice of mix nodes affects overhead
G
D
REDES INALÁMBRICAS
C
M1
B
A
M3
M2
E
F
104
MIC 2009/2010
Mix Node Selection
Intelligent selection of mix nodes can reduce overhead
With mobility, the choice of mix nodes may have to be modified to
reduce cost
REDES INALÁMBRICAS
However, change of mix selection has the potential for divulging more
information