CAPWAP System Security T. Charles Clancy clancy@cs.umd.edu - - PowerPoint PPT Presentation

capwap system security
SMART_READER_LITE
LIVE PREVIEW

CAPWAP System Security T. Charles Clancy clancy@cs.umd.edu - - PowerPoint PPT Presentation

Jan 09, 2024 210 likes •363 views

UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES CAPWAP System Security T. Charles Clancy clancy@cs.umd.edu Department of Computer Science University of Maryland, College Park Laboratory for

slide-1
SLIDE 1

UMD DEPARTMENT OF COMPUTER SCIENCE DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

CAPWAP System Security

  • T. Charles Clancy

clancy@cs.umd.edu

Department of Computer Science University of Maryland, College Park Laboratory for Telecommunication Sciences US Department of Defense

IETF 64, CAPWAP WG, November 7, 2005

slide-2
SLIDE 2

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 2

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Security Protocol Hierarchy

WTP WTP AC STA STA STA STA WTP WTP AC STA STA STA STA AAA AAA AAA CAPWAP CAPWAP 802.1X 802.1X Mgmt SNMP HTTP

slide-3
SLIDE 3

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 3

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Threat Model

WTP WTP AC STA STA STA STA AAA Mgmt aid in service theft service theft eavesdrop compromise credentials denial of service penetration risk

slide-4
SLIDE 4

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 4

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Trust Relationships

WTP AC STA STA STA STA WTP WTP AC STA STA STA STA AAA AAA Key Long-Term EAP Credential PSK/Cert TK WTP MSK MK Mgmt Admin Credential

slide-5
SLIDE 5

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 5

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

System Security

  • Long-Term Trust Relationships:

– WTP ↔ AC (CAPWAP PSK or Certificate) – AC ↔ AAA (AAA secret / RADIUS) – STA ↔ AAA (EAP Credential)

  • Trust Chaining

WTP ↔ AC ↔ AAA ↔ STA => WTP ↔ STA

  • Only as secure as the weakest link
slide-6
SLIDE 6

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 6

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Implications

  • Strong mutual authentication at each level
  • All transmitted packets MUST be protected by a

keyed integrity check value to prevent forgery

  • Encryption only required if transmitted data is

sensitive (application specific)

  • Eavesdropping easier on wireless links, thus

encryption is RECOMMENDED

slide-7
SLIDE 7

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 7

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Crypto Security

  • Ciphers MUST be IND-CPA-secure SHOULD be NM-

CCA-secure

  • Example: WEP is IND-CPA-secure (excluding FMS

attack)

  • Example: TKIP is IND-CCA-secure (due to Michael

flaws)

NM-CPA Non-Malleable NM-CCA IND-CPA Indistinguishable IND-CCA Least Secure Most Secure Good Crypto Strong MAC Chosen Plaintext Chosen Ciphertext

slide-8
SLIDE 8

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 8

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Good Ciphers and MACs

  • Good Ciphers: AES-CCMP, RSA-OAEP
  • Good MACs: AES-CBC-MAC, HMAC-SHA1
  • Replay prevention

– Approach 1: have MAC cover packet header (AES- CCMP) – good – Approach 2: require strong, randomly initialized, incrementing IV – better – Approach 3: include a randomly initialized, explicit sequence number (DTLS) – best

slide-9
SLIDE 9

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 9

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Attack Containment

WTP AC STA STA STA STA WTP WTP AC STA STA STA STA AAA WTP Compromise

Affected Nodes Unaffected Nodes

slide-10
SLIDE 10

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 10

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

Implications

  • To mitigate and contain compromises:

– Each AC must have a unique shared secret with each AAA server – Each WTP must have a unique PSK or certificate for each AC – Each STA must have a unique TK with each WTP and unique MSK with each AC

  • Handoffs between WTPs MUST derive a fresh TK
  • 802.11i: execute a new four-way handshake
  • Handoffs between ACs MUST derive a fresh MSK
  • 802.11i: reauthenticate
slide-11
SLIDE 11

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 11

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

CAPWAP Management

  • Upper-layer management features:

– SNMP interface – Firmware updates

  • Must be strongly and mutually authenticated
  • Management should be executed via the AC

– Maintain hierarchy, preserve security properties – Single, centralized authentication point – Single point of failure, DoS possibility

  • AC provides SNMP front end to the CAPWAP

management protocol

slide-12
SLIDE 12

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 12

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

CAPWAP Protocol Requirements

  • Need authentication

– Symmetric key size ≥ 128 bits – Public key size ≥ 2048 bits – Explicit mutual authentication with key confirmation (prevent DoS) – Unique credentials for each WTP

  • Need authorization

– Must authorize WTPs connecting to ACs – Possessing a certificate signed by someone is not sufficient for authorization

slide-13
SLIDE 13

{ }

UMD DEPARTMENT OF COMPUTER SCIENCE

Slide 13

DOD LABORATORY FOR TELECOMMUNICATION SCIENCES

CAPWAP Security Interactions

  • Need CAPWAP protocol policy such that:

– AC ↔ AAA

  • Authentication is unique, strong, mutual, and explicit
  • Communications protected by strong ciphersuite

– STA ↔ AAA

  • Authentication is unique, strong, mutual, and explicit
  • Communications protected by strong ciphershite

– STA ↔ WTP

  • Communications protected by strong ciphersuite
  • WEP is NOT RECOMMENDED

– Management ↔ AC

  • Authentication is unique, strong, mutual, and explicit
  • Communications protected by strong ciphershite