Wireless Communications and Mobile Computing MAP-I Jaime Dias, - - PowerPoint PPT Presentation

wireless communications and mobile computing
SMART_READER_LITE
LIVE PREVIEW

Wireless Communications and Mobile Computing MAP-I Jaime Dias, - - PowerPoint PPT Presentation

Apr 01, 2024 394 likes •896 views

WNMC-MPR-Sec 1 Wireless Communications and Mobile Computing MAP-I Jaime Dias, Manuel Ricardo Faculdade de Engenharia da Universidade do Porto WNMC-MPR-Sec 2 SECURITY - BASIC CONCEPTS WNMC-MPR-Sec 3 Symmetric Cryptography Ex: RC4, AES

slide-1
SLIDE 1

WNMC-MPR-Sec 1

Wireless Communications and Mobile Computing

MAP-I

Jaime Dias, Manuel Ricardo

Faculdade de Engenharia da Universidade do Porto

slide-2
SLIDE 2

WNMC-MPR-Sec 2

SECURITY - BASIC CONCEPTS

slide-3
SLIDE 3

WNMC-MPR-Sec 3

Symmetric Cryptography

♦ Ex: RC4, AES

3

slide-4
SLIDE 4

WNMC-MPR-Sec 4

Digest/Hash

♦ Input

» variable length message

♦ Output

» a fixed-length bit string (the hash)

♦ Used to guarantee message integrity and source identification ♦ Ex: MD5, SHA1

4

slide-5
SLIDE 5

WNMC-MPR-Sec 5

Public Key Cryptography – Confidenciality

5

slide-6
SLIDE 6

WNMC-MPR-Sec 6

Public Key Cryptography - Authentication (digital signature)

6

slide-7
SLIDE 7

WNMC-MPR-Sec 7

Public Key Distribution Problem

7

Alice Carol Bob (1) KpubAlice (7) KpubAlice[“Logo pelas 19h”] (2) KpubCarol (4) KpubCarol[“Logo pelas 20h”] (5) KprivCarol[KpubCarol[“Logo pelas 20h”]]=“Logo pelas 20h” (6) “Logo pelas 20h”è“Logo pelas 19h” (3) “Logo pelas 20h” Alice Bob (1) KpubAlice (3) KpubAlice[“Logo pelas 19h”] (2) “Logo pelas 19h” (8) KprivAlice[KpubAlice[“Logo pelas 19h”]]=“Logo pelas 19h” (4) KprivAlice[KpubAlice[“Logo pelas 19h”]]=“Logo pelas 19h”

Ataque MIM: O que a Alice julga ter acontecido:

slide-8
SLIDE 8

WNMC-MPR-Sec 8

Certification Authority

8

slide-9
SLIDE 9

WNMC-MPR-Sec 9

SSL/TLS

♦ SSL (Secure Socket Layer)

– Developed by Netscape

♦ TLS 1.x (Transport Layer Security)

– IETF

♦ Transparent to application protocols ♦ Server/client can authenticate

using certificates

♦ But, due to certificate costs

» Servers è authenticated by certificates » Clients è authenticated at the application layer (e.g. passwords)

9

slide-10
SLIDE 10

WNMC-MPR-Sec 10

SSL/TLS – Typical Procedure

Client:

» connects to a TLS-enabled server requesting secure connection » presents a list of supported CipherSuites (ciphers, hash functions)

Server:

» picks the strongest CipherSuite; notifies the client about the decision

Server:

» sends back its identification as a Digital Certificate » Certificate: [server name, server's public encryption key , trusted certificate authority (CA)]

Client:

» Contacts CA and verifies if certificate is authentic

Client:

» encrypts a random number (RN) with the server's public key (PbK) » sends it to server

Server

» Decrypts RN using its private key (PvK)

Client  Server: generate key material for encryption/decryption Client: authenticates near the server

slide-11
SLIDE 11

WNMC-MPR-Sec 11

802.11 SECURITY

slide-12
SLIDE 12

WNMC-MPR-Sec 12

802.11 Security

♦ “Minimum” security  WEP (Wired Equivalent Privacy) ♦ Station authentication

» Open mode è no authentication » Shared Mode

– AP sends challenge è station returns the challenge encrypted with the WEP key

♦ Confidentiality è frames are encrypted with RC4 ♦ Integrity è CRC32

12

slide-13
SLIDE 13

WNMC-MPR-Sec 13 13

WEP - Encryption

WEP PRNG (RC4) IV WEP Key SDU ICV (crc32) XOR Cryptogram IV Frame 802.11 Header FCS

Keystream

slide-14
SLIDE 14

WNMC-MPR-Sec 14 14

WEP - Decryption

WEP PRNG (RC4) IV WEP Key SDU ICV XOR Cryptogram IV Frame 802.11 ICV Header FCS

Keystream Check values

slide-15
SLIDE 15

WNMC-MPR-Sec 15

WEP Vulnerabilities

♦ Same IV and WEP key  same keystream

» IV too short (24 bits) » No mechanism for WEP key update

♦ Same keystream:

» SDU2 ⊕ SDU1 = cryptogram1 ⊕ cryptogram2 » If SDU1 is known (ICMP, TCP ack, …) then » SDU2 = cryptogram1 ⊕ cryptogram2 ⊕ SDU1

15

slide-16
SLIDE 16

WNMC-MPR-Sec 16

WEP Vulnerabilities (2)

» RC4 key = IV (3 bytes) + WEP key (5 or 13 bytes)

♦ Weak IVs help breaking the WEP key

» Weak IVs: i:ff:X

♦ Ex: Weak IVs for WEP keys of 40 bits

» 3:ff:X, 4:ff:X, 5:ff:X, 6:ff:X, 7:ff:X

16

slide-17
SLIDE 17

WNMC-MPR-Sec 17

WEP Vulnerabilities (3)

♦ Integrity Check Value based on CRC32 (linear) ♦ WEP does not authenticate nor check the integrity of the frame

header

» Station can change the MAC address

♦ AP is not authenticated

» Rogue AP

♦ WEP does not control the frame sequence

» Replay attacks

♦ Same key for every station

» Traffic can be eavesdropped or even changed by any station knowing the WEP key

17

slide-18
SLIDE 18

WNMC-MPR-Sec 18

WEP Vulnerabilities (4)

♦ Manufacturers put additional barriers

» Authentication by SSID

– Station monitors the medium and wait for another station to associate to see the SSID

» Access control by MAC address

– Station sees the MAC address of allowed stations and clone their address

18

slide-19
SLIDE 19

WNMC-MPR-Sec 19

802.1X – Access Control

Before the authentication

Traffic 802.1X Other traffic (blocked)

After the authentication

Traffic 802.1X Other traffic (unblocked)

slide-20
SLIDE 20

WNMC-MPR-Sec 20

EAP – Extensible Authentication Protocol

» Encapsulates authentication » Runs over any link layer but thought for PPP » Messages

Requests , Responses

Code | Identifier | Length | Type | Type-Data

bytes 1 1 2 1 variable

EAP

TLS

AKA/ SIM

Token Card PPP 802.3 802.11 Methods Links

EAP Identity Request EAP-Success STA Authenticator EAP Auth Response EAP Auth Request EAP Identity Response

slide-21
SLIDE 21

WNMC-MPR-Sec 21

802.1X with Radius

21

slide-22
SLIDE 22

WNMC-MPR-Sec 22

Dynamic WEP

♦ Uses 802.1X ♦ User authentication

» Support of multiple authentication methods » Centralized database with users’ credentials, independent of APs

♦ Enables also AP authentication ♦ Authenticaton keys ≠ encryption keys ♦ Periodic update of WEP keys

22

slide-23
SLIDE 23

WNMC-MPR-Sec 23

Dynamic WEP (2)

23

  • 2. Generation of MPPE key

(Microsoft Point-to-Point Encryption)

  • 3. MPPE key encrypted with RADIUS key
  • 2. Generation of MPPE key
  • 4. Generation of WEP key
  • 5. AP encrypts the WEP key with

the MPPE key and sends it over EAPOL-KEY

  • 6. Station decrypts the WEP

key with the MPPE key

  • 7. Station applies the WEP

key

  • 8. AP applies the WEP key
  • 9. 802.11 data frames are unblocked and

encrypted with WEP

  • 1. Authentication through an 802.1X EAP method
slide-24
SLIDE 24

WNMC-MPR-Sec 24

802.11i

♦ WEP failure  IEEE 802.11i ♦ Authentication/Access Control

» Pre-shared key (PSK) » With Authentication Server , using 802.1X

♦ Key Management

» Temporary Keys » Authentication keys ≠ Encryption keys

♦ Data encryption

» CCMP (Counter mode Cipher block Chaining MAC protocol)

– Based on the AES cipher algorithm

» TKIP (Temporal Key Integrity Protocol)

– Based on the RC4 cipher algorithm (same as WEP)

♦ Infraestructured and ad-hoc modes

24

slide-25
SLIDE 25

WNMC-MPR-Sec 25

Wi-Fi Protected Access

♦ WPA

» Based on Draft 3.0 of 802.11i (2002) » Short term solution for legacy equipments » No support for CCMP nor ad-hoc mode » TKIP reuses the WEP HW (RC4 cipher algorithm)

– Firmware upgrade

♦ WPA2

» Supports 802.11i » Long term solution

25

slide-26
SLIDE 26

WNMC-MPR-Sec 26

Authentication methods (802.1X)

♦ Requires Authentication Server ♦ Most popular Wi-Fi authentication methods

» EAP-TLS » EAP-TTLS » PEAP

26

slide-27
SLIDE 27

WNMC-MPR-Sec 27 27

EAP-TLS

♦ Uses TLS to authenticate both server and user through certificates ♦ Mandatory in WPA ♦ Cons:

» Certificates are expensive » User identity goes in clear in the user’s certificate

802.1X (EAPoL) 802.11 TLS (authentication of server and user) EAP RADIUS UDP/IP ST AP AS

slide-28
SLIDE 28

WNMC-MPR-Sec 28

Tunneled authentication

♦ Two phase authentication

» TLS tunnel authenticates the Authentication Server » User is autenticated over the TLS tunel

– Support of weaker methods for user’s authentication – Certificates are optional – User’s identity goes encrypted

♦ EAP-TTLS, PEAP

28

slide-29
SLIDE 29

WNMC-MPR-Sec 29

EAP-TTLS

♦ EAP- Tunneled TLS

29 802.1X (EAPoL) 802.11 TLS (Server authentication) EAP RADIUS UDP/IP PAP, CHAP, EAP, …(User authentication) ST AP AS

MS-CHAP

slide-30
SLIDE 30

WNMC-MPR-Sec 30

PEAP

♦ Protected Extensible Authentication Protocol ♦ v0  Microsoft, v1  Cisco ♦ PEAPv0/EAP-MSCHAPv2 – the most popular

30 802.1X (EAPoL) 802.11 TLS (server authentication) EAP RADIUS UDP/IP EAP MSCHAPv2, TLS, …(user authentication) ST AP AS

slide-31
SLIDE 31

WNMC-MPR-Sec 31

Key Management

♦ Master Key (MK) generated

by Authentication Server

♦ Pairwise Master Key (PMK)

generated from MK

♦ PMK sent to the AP through

the AAA protocol (RADIUS)

♦ Generation of the Pairwise

Transient Key (PTK) through the 4-way handshake

♦ Group key handshake (GTK)

generated by the AP and sent though the Group key handshake

31

Group key handshake

slide-32
SLIDE 32

WNMC-MPR-Sec 32

Key Management (2)

32

Encrypted with PTK

PTK = Hash(PMK, Anonce, Snonce, MACaddrSTA, MACaddrAP)

slide-33
SLIDE 33

WNMC-MPR-Sec 33

TKIP Key Encryption generation

» Diminui correlação entre a keystream e a chave de cifragem

33

slide-34
SLIDE 34

WNMC-MPR-Sec 34

Data frames – WEP, TKIP, and CCMP

34

IV / KeyID 4octets Extented IV 4 octets Data >=0 octets MIC 8 octets 802.11 Header Encrypted Authenticated Authenticated

IV / KeyID 4octets Extented IV 4 octets Data >=0 octets MIC 8 octets 802.11 Header ICV 4 octets Authenticated Authenticated

Encrypted

IV / KeyID 4octets Data >=0 octets 802.11 Header ICV 4 octets Authenticated

Encrypted

slide-35
SLIDE 35

WNMC-MPR-Sec 35

Integridade das mensagens

♦ ICV = CRC32 not really a signature ♦ MIC  signature/hash

35

slide-36
SLIDE 36

WNMC-MPR-Sec 36

GSM

slide-37
SLIDE 37

WNMC-MPR-Sec 37

Security in GSM

♦ Security services

» access control/authentication

– user èSIM (Subscriber Identity Module)èsecret PIN (Personal Identification Number) – SIM è contains Ki (subscriber secret authentication key)

» confidentiality

voice and signaling encrypted on the wireless link (after authentication)

» anonymity

– TMSI - Temporary Mobile Subscriber Identity – newly assigned at each new location update – encrypted transmission

♦ 3 algorithms specified in GSM

» A3 for authentication » A5 for encryption » A8 for key generation

slide-38
SLIDE 38

WNMC-MPR-Sec 38

GSM - Authentication

A3 RAND Ki 128 bit 128 bit SRES* 32 bit A3 RAND Ki 128 bit 128 bit SRES 32 bit SRES* =? SRES SRES RAND SRES 32 bit mobile network SIM AuC MSC SIM

Ki: individual subscriber authentication key SRES: signed response

slide-39
SLIDE 39

WNMC-MPR-Sec 39

GSM - Key Generation and Encryption

A8 RAND Ki 128 bit 128 bit Kc 64 bit A8 RAND Ki 128 bit 128 bit SRES RAND encrypted data mobile network (BTS) MS with SIM AuC BTS SIM A5 Kc 64 bit A5 MS data data cipher key

slide-40
SLIDE 40

WNMC-MPR-Sec 40

Security in GPRS and UMTS

(3GPP TS 23.060, 3GPP TS 33.102)

slide-41
SLIDE 41

WNMC-MPR-Sec 41

Security Function

♦ Authentication of the MS by the network ♦ User identity anonymity

» Temporary identification, ciphering

♦ Data and signalling confidentiality

» Ciphering

♦ In UMTS (Iu mode)

» also authentication of the network by the MS

slide-42
SLIDE 42

WNMC-MPR-Sec 42

Authentication

♦ Two types of authentication

» GSM authentication » UMTS authentication » Independent of the RAN modes

♦ GSM authentication

» Based on SIM » Authentication of the MS by the network » Establishment of GSM ciphering key (Kc) between the SGSN and the MS

♦ UMTS authentication

» Based on USIM » Requires authentication quintets » Implies mutual authentication » Agreement between SGSN and MS on

Ciphering Key (CK) and Integrity Key (IK)

slide-43
SLIDE 43

WNMC-MPR-Sec 43

GSM Authentication

  • 1. SGSN requests Authentication-Info (IMSI); HLR responds
  • 2. SGSN

» sends Authentication-Ciphering(RAND, CKSN, Ciphering Algorithm)

» MS responds with Ciphering-Response (SRES) ♦ GPRS: MS starts ciphering after sending Response message ♦ UMTS: SGSN / MS shall generate CK and IK from the GSM Kc

  • 1. Send Authentication Info
  • 2. Authentication and Ciphering Request
  • 1. Send Authentication Info Ack
  • 2. Authentication and Ciphering Response

MS RAN HLR SGSN

slide-44
SLIDE 44

WNMC-MPR-Sec 44

MS VLR/SGSN HE/HLR Generate authentication vectors AV(1..n) Store authentication vectors Select authentication vector AV(i) Authentication data request Authentication data response AV(1..n) User authentication request RAND(i) || AUTN(i) User authentication response RES(i) Compare RES(i) and XRES(i) Verify AUTN(i) Compute RES(i) Compute CK(i) and IK(i) Select CK(i) and IK(i) Authentication and key establishment Distribution of authentication vectors from HE to SN

UMTS Authentication

slide-45
SLIDE 45

WNMC-MPR-Sec 45

Generation of an Authentication Vector by HE/AuC

K SQN RAND f1 f2 f3 f4 f5 MAC XRES CK IK AK AUTN := SQN ⊕ AK || AMF || MAC AV := RAND || XRES || CK || IK || AUTN Generate SQN Generate RAND AMF

slide-46
SLIDE 46

WNMC-MPR-Sec 46

K SQN RAND f1 f2 f3 f4 f5 XMAC RES CK IK AK SQN ⊕ AK AMF MAC AUTN Verify MAC = XMAC Verify that SQN is in the correct range ⊕

User authentication function in the USIM

slide-47
SLIDE 47

WNMC-MPR-Sec 47

Scope of Ciphering

♦ Ciphering Algorithm

» A/Gb mode: GPRS Encryption Algorithm (GEA)

– Kc is an input to the algorithm

» Iu mode: UMTS Encryption Algorithm (UEA)

– CK is an input to the algorithm MS BSS/UTRAN SGSN Scope of GPRS ciphering Scope of UMTS ciphering

slide-48
SLIDE 48

WNMC-MPR-Sec 48 Release 99+ VLR/SGSN Release 98- VLR/SGSN Release 99+

HLR/AuC

USIM

RAND AUTN RES CK IK CK, IK Kc

UTRAN

ME capable of UMTS AKA

RAND AUTN RES [Kc] CK, IK Kc

GSM BSS

CK, IK  Kc RES  SRES CK, IK  Kc

ME not capable of UMTS AKA

CK, IK  Kc CK, IK  Kc RES  SRES RAND [AUTN] SRES [Kc] Kc RAND SRES [Kc] Kc

ME

CK, IK  Kc RES  SRES Quintets Triplets CK, IK  Kc RES  SRES

UMTS security GSM security

CK, IK  Kc