Mobile Communications Mobile Communications Security Types of - - PDF document

Mobile Communications Mobile Communications Security

 Types of Attacks  GSM Security  802.11 Security

Access Control Lists

 GSM Security

 Authentication  Encryption Access Control Lists  WEP  WPA/WPA2  Temporary ID (TMSI) 802.1X/EAP

Tunneling

Mobile Communication Security 1

Security Requirements

Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity. Confidentiality No access to information for unauthorized users. Integrity Protection of data from manipulation/deletion. Non-repudiation Originator cannot deny being the origin of data. Availability

… of resources and data to legitimate users.

Sicherheit Mobile Communication Security 2

Attack Types

Passive attacks:

 Eavesdropping

undetected interception and recording of communications by non- authorized persons

 Traffic flow analysis

By observing transmitted messages By observing transmitted messages Conclusions about behavior, interest and habits of users

Security Mobile Communication Security 3

Attack Types

Active attacks:

 Masquerading

Falsifying of identity Falsifying of identity

 Tampering

Unnoticed manipulation of messages during transmission p g g

 Replay

Storage of messages and later (unmanipulated) retransmission. g g ( p )

 Denial of Service

Prevention of users from using a service by overload- or interference attacks.

Security Mobile Communication Security 4

GSM / UMTS security mechanisms

User Authentication Encryption T Id tifi ti (TMSI) Temporary Identification (TMSI)

Security Mobile Communication Security 5

GSM / UMTS security mechanisms

User Authentication

 For each GSM subscriber, there is a key Ki (128 bit)  Ki is stored on the SIM (Subscriber Identification Module) and HLR (Home

Location Register) Location Register)

 Ki never leaves the SIM card or the HLR  To authenticate, a "challenge-response" method is used, based on a one-

way function, in GSM referred to as A3 algorithm.

 Each network operator can define A3 itself, known examples:

 COMP128 (already cracked takes less than a minute)  COMP128 (already cracked, takes less than a minute)  COMP128-2 (secret)  COMP128-3 (secret, but some analysis shows that problems of COMP128 have

been basically solved)

Security Mobile Communication Security 6

GSM / UMTS security mechanisms

User Authentication (cont.)

 Suppose a mobile station i enters a new cell (eg in a foreign network).

Th A th i ti C t (AC) t th HLR i th t t d b th

 The Authorization Center (AC) at the users HLR is then contacted by the

foreign network.

 The AC generates a random number RAND (128 bit) and a value SRES

g ( ) (32 bit) by employing A3 with Ki to RAND.

 HLR sends (RAND, SRES) encrypted and signed to the foreign network.  The foreign network sends RAND (challenge) to the mobile station i and

„asks“ it to calculate SRES‘ by executing A3 with Ki on RAND.

 Then the mobile station sends calculated SRES‘ back to foreign network  Then the mobile station sends calculated SRES back to foreign network

(response).

 If SRES = SRES‘ the mobile station is authenticated successfully. Security Mobile Communication Security 7

GSM / UMTS security mechanisms

Encryption of the air interface (optional)

 The challenge response method cannot prevent „Man in the Middle“ attacks

E d i d th i d h ll th f th

 Eavesdropping and unauthorized phone calls on the expense of others

 Therefore, there is another one way function in GSM called "A8 algorithm"  A8 is also determined by the network operator, e.g. also COMP128-3

y p , g

 HLR generates a symmetric key Kc from RAND and Ki by A8  HLR sends (RAND, SRES, Kc) encrypted and signed to the foreign network.  The foreign network sends RAND to mobile station as before.  The mobile station computes Kc using RAND and Ki employing A8  K i th

d th i i t f ti k

 Kc is then used on the air interface as an encryption key. Security Mobile Communication Security 8

GSM / UMTS security mechanisms

Encryption of the Air interface (optional, cont.)

 With Kc all calls between mobile and base station are encrypted.

Th ti l ith it lf i ll d A5 l ith “ i GSM

 The encryption algorithm itself is called „A5-algorithm“ in GSM  There are 3 different standardizedA5:

 A5/1 stream cipher algorithm, weak

p g ,

 A5/2 stream cipher algorithm, even weaker  A5/3 block cipher algorithm, strong

http://www.gsmworld.com/using/algorithms/index.shtml

Security Mobile Communication Security 9

GSM / UMTS security mechanisms

Temporary identification (TMSI)

 The IMSI number (International Mobile Subscriber Identity) is used as

international mobile subscriber identifier international mobile subscriber identifier.

 It is transferred only once in a foreign network.  After the transfer the MSC/VLR computes a TMSI (Temporary Mobile

p ( p y Subscriber Identity)

 For any further communication the TMSI is used  In case of a re-registration at a cell or a cell to cell handover a new TMSI is

computed, encrypted and transferred. This mechanism makes it difficult for attackers to create a motion profile, which means mapping of IMSI to TMSI.

Security Mobile Communication Security 10

GSM / UMTS security mechanisms

Summary

Request Security Mobile Communication Security 11

The IEEE 802.11 standard security mechanisms

Provision of:

 Access Control  Authentication  Encryption

yp

802.11 Wireless Client Access Point Service Set Identifier (SSID) Media Access Control (MAC filtering) Wired Equivalent Privacy (WEP) WiFi Protected Access (WPA)

Mobile Communication Security 12

Access Control - Service Set Identifier (SSID)

Standard Mode

 The network name (SSID) doesn‘t have to be known to the client  The network name (SSID) doesn t have to be known to the client  SSID = dividing a Wireless LAN into distinct segments  AP sends "beacon" signals containing the SSID, so that clients can find the

desired segment desired segment

Hidden Mode (closed network, no broadcast)

 AP sends beacon“ signals without SSID therefore the client must know  AP sends „beacon signals without SSID, therefore the client must know

the SSID of desired segment upfront.

 AP does not reply to SSID broadcasts by clients

Unfortunately the SSID is transmitted in other signalling messages in clear text. SSID can be easily intercepted with a „Wireless Sniffer“.

Mobile Communication Security 13

Access Control - MAC Address List

Access control by means of Access Control Lists (ACL) of MAC addresses ACLs have to be managed via management software centrally on access points points

 Not well scalable. Administrative burden is very high.

Remedy Remedy

 central file with MAC list  RADIUS Server

 Username = MAC address  Username = MAC address  Password = „null“ or „none“

MAC addresses are generally transmitted unencrypted MAC addresses are generally transmitted unencrypted

 Attacker can intercept MAC address and misuse it on his/her own wireless

interface card = MAC address spoofing (identity pretention)

Mobile Communication Security 14

Wired Equivalent Privacy (WEP)

Radio waves do not stop at the front door of buildings

 Unlike wired systems it requires no physical intervention in order to break  Unlike wired systems, it requires no physical intervention in order to break

into the network

Wi d E i l t P i Wired Equivalent Privacy

 safety from interception is supposed to be at least as good as wired

systems.

 Primary goal is privacy: prevention of eavesdropping  Secondary target is authentication of clients

WEP 802.11 is available in a 40-bit and 128-bit version WEP has no method for key management

 Keys must be configured manually  Global key <-> personal key  Keys are the same for everyone are secret only for a short period of time  Keys are the same for everyone, are secret only for a short period of time. Mobile Communication Security 15

WEP modes

Open System Authentication p y

Station Identity Wireless Client Access Point result

Shared Key Authentication

Station Identity Station Identity Challenge C Wireless Client Access Point WEP (C) result

Mobile Communication Security 16

WEP: Send and Receive

Th d / i i t t k t “ i WEP K d

• The sender/originator generates a „keystream“ using WEP-Key and

Initialisation Vector (IV) as input to the RC4-algorithm.

• The plaintext (actual message in binary code) is then bitwise

p ( g y ) exclusively (XOR) „merged“ with the key stream.

• The sender computes a 32-bit long checksum (CRC32), using a linear

algorithm algorithm.

• the sender encrypts both
• The IV transmitted unencrypted with the rest of the message and can

yp g be changed with every packet.

• The receiver uses the IV and WEP-Key to generate the key stream.

Finally the receiver applies XOR operator to key stream and encrypted

• Finally the receiver applies XOR operator to key stream and encrypted

message body to decrypt to the original plaintext.

Mobile Communication Security 17

WEP Packet Structure

Frame Frame Body FCS 802.11 Generic Packet Frame Frame Header Frame Body FCS Shared before communication begins Created by Sending Device Secret Key (40bit) IV (24bits) Integrity Check Algorithm (CRC32) RC4 Algorithm Frame Body ICV Frame Header IV Frame Body ICV FCS WEP Packet Frame Encrypted Encrypted Mobile Communication Security 18

RC4 algorithm

RC4 is a fast stream cipher algorithm developed in 1987 by Ron Rivest (RSA) RC4 is a fast stream cipher algorithm developed in 1987 by Ron Rivest (RSA). The RSA Data Security Inc. held the algorithm secret, so no reliable security evaluation was possible. In September 1994 an anonymous participant of a mailing list posted a source code, that after extensive testing proved to be completely compatible with RC4. The algorithm is very compact and 5-10 times faster than DES. For this reason RC4 is used in many real time oriented systems RC4 is used in many real time oriented systems. RC4 has a variable key length of 5-256 Byte.

Mobile Communication Security 19

The Initialization Vector (IV) Problem

The IV is only 24 bits long, there are16,777,216 (224) possible variations

 Even if IV is changed with every packet, after 224 packets, there will be a

second packet that has been encrypted with the same IV+WEP-Key

 Only few identical IV are necessary to deduce the WEP-Key and therefore  Only few identical IV are necessary to deduce the WEP Key and therefore

the plaintext employing statistical methods.

Th t f d t th t d t b t d f thi tt k i l The amount of data that needs to be captured for this attack is no longer a

• problem. Assuming an average packet length of 1500 Bytes, the data

amount is: 224 Key x 1500 bytes < 24 GBytes amount is: 2 Key x 1500 bytes 24 GBytes In reality bad implementation change IV less than every packet or never:

 802.11 specification: "Changing the IV after each packet is optional" Mobile Communication Security 20

WEP

I 2001 WEP fi ll di dit d th h bli h d tt k b S tt In 2001 WEP was finally discredited through a published attack by Scott Fluhrer, Itsik Mantin and Adi Shamir:

 "Weaknesses in the Key Scheduling Algorithm of RC4“

y g g

The attack is based on the fact that often the first 8 bits of the plaintext are known, due to the applied Logical Link Control (LLC) protocol. With this information the WEP-Key can be calculated within seconds With this information the WEP-Key can be calculated within seconds. There is an application for download called „aircrack„: http://www.aircrack-ng.org/doku.php

Mobile Communication Security 21

WPA - Wi-Fi Protected Access

The WiFi-Alliance designed WPA to counter 802.11 the WEP Standard k Alth h IEEE b k th d (802 11i) th

• weakness. Although IEEE began work on a new method (802.11i), the

WiFi-Alliance could not wait and already endorsed WPA in Oct. 2002. WPA is also based on a stream cipher algorithm, the same hardware can be used, but the problem with the key has been remedied (TKIP) IV is now 48 bits long WPA is a subset of the 802.11i standard, especially with regards to:

 Authentication  Authentication



Pre Shared Key (PSK), „WPA personal "



802.1X/EAP (Extens. Auth. Prot) Authentication, „WPA enterprise"

E ti

 Encryption



TKIP (Temporal Key Integrity Protocol) data encryption

801.11i was never approved, but incorporated in IEEE 802.11-2007 pp p

Mobile Communication Security 22

WPA - Wi-Fi Protected Access

TKIP T l K I t it P t l TKIP Temporal Key Integrity Protocol

 It was introduced to eliminate the problem with the Key of WEP

p y

 Migrating from WEP to TKIP requires minimal firmware upgrade  The actual RC-4 Key is generated with TKIP  TKIP employs a 2-phase key mixing method that constantly changes the

key and makes sure that each packet is sent with a unique encryption key. This makes it much more difficult to compute the key by cryptographic analysis.

Mobile Communication Security 23

WPA - Wi-Fi Protected Access

RC4 Vulnerability

• RC4 is a fast but simple stream cypher algorithm
• Security concerns

Security concerns

 if parts of the plaintext are known, the key can be cracked

thi i i ll t f th fi t b t f th l i t t

 this is especially true for the first bytes of the plaintext  for RC4 in combination with TKIP, there are published attacks

p http://dl.aircrack-ng.org/breakingwepandwpa.pdf

 It is therefore generally not recommended to use RC4  It is therefore generally not recommended to use RC4 Mobile Communication Security 24

WPA2 - Wi-Fi Protected Access

• Successor WPA2 is considered secure from today's perspective, but

requires more processing power of devices. This poses a problem for mobile devices.

• It uses AES for encryption instead of RC4/TKIP

It uses AES for encryption instead of RC4/TKIP

• There are two versions

 "Enterprise" means major authentication features, 802.1X/EAP  "Personal" means a stripped down version for private use, only Pre

Shared Key (PSK)

• WPA2 "enterprise" is almost identical to IEEE 802.11-2007 security

p y

• mechanisms. It lacks fast handover between access points.

Si 2006 WPA2 i d t f Wi Fi tifi d d i

• Since 2006, WPA2 is mandatory for every Wi-Fi certified device

Mobile Communication Security 25

Advanced Encryption Standard (AES)

• This is the successor of the Data Encryption Standard (DES ) used

f t i f ti t th US N ti l S it A (NSA) for secret information to the US National Security Agency (NSA)

• Today’s most common standard for symmetric encryption
• Block cipher instead of stream cipher (RC-4)

Block cipher, instead of stream cipher (RC 4)

• Block size 128 bits = 16 bytes
• Key sizes:

a0,0 a0,1 a0,2 a0,3

 128 bit (AES-128)  192 bit (AES-192)  256 bit (AES-256)

a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3

AES-128 block

 256 bit (AES 256)

• Very fast both in SW and in HW
• Repeated transformations of the 16-byte blocks. 10, 12 and 14

a3,0 a3,1 a3,2 a3,3

transformation rounds for AES-128, AES 196 and AES-256

• No practical attacks are known, even for 128-bit key length, 256-bit

can be used for very high security requirements. can be used for very high security requirements.

Mobile Communication Security 26

802.1X/EAP (Extensible Authentication Protocol)

Message flow in 802.1X/EAP

Advantages: l i l i ff 1 2

WLAN Association EAP/802.1X Negotiation

• low implementation effort
• no firmware upgrade for new

Authentication methods

• automatic key change

2

Master Secret Communication Session Key

automatic key change RADIUS: Remote Authentication Dial- In User Service 3

Regular Data Transfer New Session Key Further Regular Data Transfer

Mobile Communication Security 27

802.1X/EAP

e.g. Access Point e g Notebook e.g. Notebook

from http://www.linux.com/howtos/8021X-HOWTO/index.shtml

Mobile Communication Security 28

802.11-2007 standard

It i l d th th f ll i t

• It includes among others the following components:

 IEEE 802.1X port-based authentication, by using EAP „Man in the Middle“

attacks are prevented (port means single point of attachment in LAN infrastructure)

 TKIP Temporal Key Integrity Protocol  AES Advanced Encryption Standard encryption algorithm (instead of

yp yp g ( RC4/TKIP)

 Fast roaming is supported

• It considers the safety requirements of

 AP-based networks (infrastructure based) as well as  Ad Hoc networks Mobile Communication Security 29

Basics: Tunneling in IP networks

Host A

• Tunneling is a concept that

can secure data packets by

A B Host A Source Destination Location X

can secure data packets by encryption for transport over transit networks.

B Security Gateway

• 1 -

Tunnel Payloa 1 Data

• Tunnel entry is determined

by an additional IP header

net Tunnel ad 2 A B en

y

• Tunnel endpoint is defined

b li i ti th dditi l

Intern B Paylo ncrypted

by eliminating the additional header

Security Gateway

• 2 -
• ad

A B Source Destination Host B Location Y Payload Data

Mobile Communication Security 30

Conceptualization

Private Network Virtual Private Network (WAN) Private Network

Headquarters Headquarters Leased line

Public Network

Subsidiary Subsidiary Subsidiary Subsidiary

Mobile Communication Security 31

VPN Basics

Addresses

 Public network (Internet)  Public network (Internet)  large shared address space  (Virtual) Home network  own independent address space

Encryption

 Packet contents must be secured on transit through public network  Packet contents must be secured on transit through public network  Encryption of payload and private header

VPN-Technology is well suited to securely connect mobile stations to remote infrastructures using public networks.

Mobile Communication Security 32

Tunneling protocols for VPN

Protocols to establish a VPN tunnel: Protocols to establish a VPN tunnel:

 PPTP (Point-to-Point Tunneling Protocol)  L2F (Layer 2 Forwarding)  L2F (Layer 2 Forwarding)  L2TP (Layer 2 Tunneling Protocol)  IPsec (Internet Protocol Security) this is now the most important VPN protocol  IPsec (Internet Protocol Security), this is now the most important VPN protocol.

Mobile Communication Security 33

IP Security Protocol (IPsec)

E t i f IP

• Extension of IP,
• Layer 3 tunneling protocol,

Layer 3 tunneling protocol,

• IPsec was originally developed for IP version 6 (RFC 1825 - 1829) and

is a mandatory part of IPv6,

• but is fully standardized for IPv4 for optional use
• but is fully standardized for IPv4, for optional use,
• IPsec is described in RFCs 2401 to 2412.

Mobile Communication Security 34

IPsec

K bj ti f th IP d fi iti Key objectives of the IPsec-definition were:

• transparent behavior to applications,

transparent behavior to applications,

• easy integration into existing networks,
• no fixed encryption method (future-proof),
• use of different protocols for authentication and encryption

(independently or in combination),

• basic possibility of supplementing it with other protocols
• basic possibility of supplementing it with other protocols,
• IPsec is ultimately intended to replace the other VPN protocols.

Mobile Communication Security 35

IPsec - Security Features

IP i l d f i t t it f t IPsec includes four important security features:

 Encryption - protection against eavesdropping  Authentication of the message - to prove the authenticity of a message

g y g (packet integrity)

 Authentication of the sender – for explicit identification of a transmitter /

receiver (packet authenticity) (p y)

 Key management

A t ll th t IP d Actually there are two IPsec modes:

 IPsec in transport mode  IPsec in tunnel mode Mobile Communication Security 36

IPsec - Security Features

IP-Header Data

Transport Mode

IP-Header Data

IPsec-header (AH, ESP)

Transport Mode

• The „Data“ part can be encrypted, while the rest remains unencrypted.

An additional IPsec header (AH ESP) is being inserted

encrypted

• An additional IPsec header (AH, ESP) is being inserted
• Used for data integrity and authenticity (checksum by hashing with MD5 or SHA-1)
• Protection against replay attacks
• Confidentiality
• Confidentiality.
• The main advantage is, that only little additional information is inserted into the
• packet. Further, an attacker can analyze the data flow (source, destination,
• packet. Further, an attacker can analyze the data flow (source, destination,

quantity) but the data itself is safe, in particular if encrypted.

AH = Authentication Header ESP = Encapsulating Security Payload ESP Encapsulating Security Payload Mobile Communication Security 37

IPsec - Security Features

IP-Header Data

New IP-Header

Data

IPsec-header IP-Header

Tunnel Mode

Data

(ESP)

IP Header

encrypted

• The whole IP packet is encrypted,
• A new IP-Header is added, followed by the Encapsulating Security Payload

(ESP) Header (ESP) Header,

• Is often used for connecting LANs over an insecure network, the new IP

addresses are the IP addresses of the gateways,

• IPsec only needs to be implemented at the gateways,
• Outside observers cannot distinguish who inside a LAN is sending how

much to whom inside another remote LAN,

• Packets, however, are longer than in transport mode.

Mobile Communication Security 38

IPsec - Security

• Authentication Header (AH)

 Data authenticity  Data authenticity,  Integrity,  Protection against replay attacks.

• Encapsulation Security Payload (ESP)

 Data confidentiality  Data confidentiality,  Limited traffic flow confidentiality,  Integrity,

D t th ti it

 Data authenticity,  Protection against replay attacks. Mobile Communication Security 39

IPsec - in tunnel mode (example)

S d Secured

Mobile Communication Security 40

IPsec

Sources

 RFC 2401 IPsec Architecture  RFC 2401 IPsec Architecture  RFC 2402 IP Authentication Header (AH)  RFC 2403 AH with MD5-96  RFC 2404 AH with SHA-1-96  RFC 2405 ESP with DES-CBC  RFC 2406 Encapsulation Security Payload (ESP)  RFC 2406 Encapsulation Security Payload (ESP)  RFC 2408 ISAKMP  RFC 2409 Internet Key Exchange (IKE) Mobile Communication Security 41

More information

More information

 Official website of the IPSec Working Group of IETF

(http://www ietf org/html charters/OLD/ipsec-charter html) (http://www.ietf.org/html.charters/OLD/ipsec charter.html)

 IPsec Unofficial Homepage http://www.vpnc.org/ietf-ipsec/  FAQ - IPv6

(http://www ipv6 org/faq html) (http://www.ipv6.org/faq.html)

Implementations p

 SSH IPSec Express - toolkit for the integration of IPSec into TCP / IP

products (http://www ssh com/products/developer/ipsec express/) products (http://www.ssh.com/products/developer/ipsec_express/)

 FreeS / WAN - a free Linux implementation of IPsec (http://www.xs4all.nl/

~ freeswan /)

Mobile Communication Security 42

Links

Virtual Private Network Consortium

 http://www vpnc org  http://www.vpnc.org

Virtual Private Network Daemon

 http://sunsite.dk/vpnd

Cisco Technology Solutions Cisco Technology Solutions

 Virtual Private Networks

http://www.cisco.com/warp/public/779/largeent/learn/technologies/VPNs.html

Mobile Communication Security 43