Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel - - PowerPoint PPT Presentation
WNP-MPR-Sec 1 Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da Universidade do Porto WNP-MPR-Sec 2 Topics Scheduled for Today Authentication and access control Security basic
WNP-MPR-Sec 1
MAP-TELE
Jaime Dias, Manuel Ricardo
Faculdade de Engenharia da Universidade do Porto
WNP-MPR-Sec 2
♦ Authentication and access control
» Security – basic concepts » WLAN » 3GPP networks: GSM, GPRS, UMTS
WNP-MPR-Sec 3
WNP-MPR-Sec 4
♦ Ex: RC4, AES
4
WNP-MPR-Sec 5
♦ Input
» variable length message
♦ Output
» a fixed-length bit string (the hash)
♦ Used to guarantee message integrity and source identification ♦ Ex: MD5, SHA1
5
WNP-MPR-Sec 6
6
WNP-MPR-Sec 7
7
WNP-MPR-Sec 8
8
Alice Carol Bob (1) KpubAlice (7) KpubAlice[“Logo pelas 19h”] (2) KpubCarol (4) KpubCarol[“Logo pelas 20h”] (5) KprivCarol[KpubCarol[“Logo pelas 20h”]]=“Logo pelas 20h” (6) “Logo pelas 20h”è“Logo pelas 19h” (3) “Logo pelas 20h” Alice Bob (1) KpubAlice (3) KpubAlice[“Logo pelas 19h”] (2) “Logo pelas 19h” (8) KprivAlice[KpubAlice[“Logo pelas 19h”]]=“Logo pelas 19h” (4) KprivAlice[KpubAlice[“Logo pelas 19h”]]=“Logo pelas 19h”
Ataque MIM: O que a Alice julga ter acontecido:
WNP-MPR-Sec 9
9
WNP-MPR-Sec 10
♦ SSL (Secure Socket Layer)
– Developed by Netscape
♦ TLS 1.x (Transport Layer Security)
– IETF
♦ Transparent to application protocols ♦ Server/client can authenticate
♦ But, due to certificate costs
» Servers è authenticated by certificates » Clients è authenticated at the application layer (e.g. passwords)
10
WNP-MPR-Sec 11
Client:
» connects to a TLS-enabled server requesting secure connection » presents a list of supported CipherSuites (ciphers, hash functions)
Server:
» picks the strongest CipherSuite; notifies the client about the decision
Server:
» sends back its identification as a Digital Certificate » Certificate: [server name, server's public encryption key , trusted certificate authority (CA)]
Client:
» Contacts CA and verifies if certificate is authentic
Client:
» encrypts a random number (RN) with the server's public key (PbK) » sends it to server
Server
» Decrypts RN using its private key (PvK)
Client Server: generate key material for encryption/decryption Client: authenticates near the server
WNP-MPR-Sec 12
WNP-MPR-Sec 13
♦ “Minimum” security WEP (Wired Equivalent Privacy) ♦ Station authentication
» Open mode è no authentication » Shared Mode
– AP sends challenge è station returns the challenge encrypted with the WEP key
♦ Confidentiality è frames are encrypted with RC4 ♦ Integrity è CRC32
13
WNP-MPR-Sec 14 14
WEP PRNG (RC4) IV WEP Key SDU ICV (crc32) XOR Cryptogram IV Frame 802.11 Header FCS
Keystream
WNP-MPR-Sec 15 15
WEP PRNG (RC4) IV WEP Key SDU ICV XOR Cryptogram IV Frame 802.11 ICV Header FCS
Keystream Check values
WNP-MPR-Sec 16
♦ Same IV and WEP key same keystream
» IV too short (24 bits) » No mechanism for WEP key update
♦ Same keystream:
» SDU2 ⊕ SDU1 = cryptogram1 ⊕ cryptogram2 » If SDU1 is known (ICMP, TCP ack, …) then » SDU2 = cryptogram1 ⊕ cryptogram2 ⊕ SDU1
16
WNP-MPR-Sec 17
» RC4 key = IV (3 bytes) + WEP key (5 or 13 bytes)
♦ Weak IVs help breaking the WEP key
» Weak IVs: i:ff:X
♦ Ex: Weak IVs for WEP keys of 40 bits
» 3:ff:X, 4:ff:X, 5:ff:X, 6:ff:X, 7:ff:X
17
WNP-MPR-Sec 18
♦ Integrity Check Value based on CRC32 (linear) ♦ WEP does not authenticate nor check the integrity of the frame
» Station can change the MAC address
♦ AP is not authenticated
» Rogue AP
♦ WEP does not control the frame sequence
» Replay attacks
♦ Same key for every station
» Traffic can be eavesdropped or even changed by any station knowing the WEP key
18
WNP-MPR-Sec 19
♦ Manufacturers put additional barriers
» Authentication by SSID
– Station monitors the medium and wait for another station to associate to see the SSID
» Access control by MAC address
– Station sees the MAC address of allowed stations and clone their address
19
WNP-MPR-Sec 20
Before the authentication
Traffic 802.1X Other traffic (blocked)
After the authentication
Traffic 802.1X Other traffic (unblocked)
WNP-MPR-Sec 21
Requests , Responses
Code | Identifier | Length | Type | Type-Data
bytes 1 1 2 1 variable
EAP
TLS
AKA/ SIM
Token Card PPP 802.3 802.11 Methods Links
EAP Identity Request EAP-Success STA Authenticator EAP Auth Response EAP Auth Request EAP Identity Response
WNP-MPR-Sec 22
22
WNP-MPR-Sec 23
♦ Uses 802.1X ♦ User authentication
» Support of multiple authentication methods » Centralized database with users’ credentials, independent of APs
♦ Enables also AP authentication ♦ Authenticaton keys ≠ encryption keys ♦ Periodic update of WEP keys
23
WNP-MPR-Sec 24
24
(Microsoft Point-to-Point Encryption)
the MPPE key and sends it over EAPOL-KEY
key with the MPPE key
key
encrypted with WEP
WNP-MPR-Sec 25
♦ WEP failure IEEE 802.11i ♦ Authentication/Access Control
» Pre-shared key (PSK) » With Authentication Server , using 802.1X
♦ Key Management
» Temporary Keys » Authentication keys ≠ Encryption keys
♦ Data encryption
» CCMP (Counter mode Cipher block Chaining MAC protocol)
– Based on the AES cipher algorithm
» TKIP (Temporal Key Integrity Protocol)
– Based on the RC4 cipher algorithm (same as WEP)
♦ Infraestructured and ad-hoc modes
25
WNP-MPR-Sec 26
♦ WPA
» Based on Draft 3.0 of 802.11i (2002) » Short term solution for legacy equipments » No support for CCMP nor ad-hoc mode » TKIP reuses the WEP HW (RC4 cipher algorithm)
– Firmware upgrade
♦ WPA2
» Supports 802.11i » Long term solution
26
WNP-MPR-Sec 27
♦ Requires Authentication Server ♦ Most popular Wi-Fi authentication methods
» EAP-TLS » EAP-TTLS » PEAP
27
WNP-MPR-Sec 28 28
♦ Uses TLS to authenticate both server and user through certificates ♦ Mandatory in WPA ♦ Cons:
» Certificates are expensive » User identity goes in clear in the user’s certificate
802.1X (EAPoL) 802.11 TLS (authentication of server and user) EAP RADIUS UDP/IP ST AP AS
WNP-MPR-Sec 29
♦ Two phase authentication
» TLS tunnel authenticates the Authentication Server » User is autenticated over the TLS tunel
– Support of weaker methods for user’s authentication – Certificates are optional – User’s identity goes encrypted
♦ EAP-TTLS, PEAP
29
WNP-MPR-Sec 30
♦ EAP- Tunneled TLS
30 802.1X (EAPoL) 802.11 TLS (Server authentication) EAP RADIUS UDP/IP PAP, CHAP, EAP, …(User authentication) ST AP AS
MS-CHAP
WNP-MPR-Sec 31
♦ Protected Extensible Authentication Protocol ♦ v0 Microsoft, v1 Cisco ♦ PEAPv0/EAP-MSCHAPv2 – the most popular
31 802.1X (EAPoL) 802.11 TLS (server authentication) EAP RADIUS UDP/IP EAP MSCHAPv2, TLS, …(user authentication) ST AP AS
WNP-MPR-Sec 32
♦ Master Key (MK) generated
♦ Pairwise Master Key (PMK)
♦ PMK sent to the AP through
♦ Generation of the Pairwise
♦ Group key handshake (GTK)
32
Group key handshake
WNP-MPR-Sec 33
33
Encrypted with PTK
PTK = Hash(PMK, Anonce, Snonce, MACaddrSTA, MACaddrAP)
WNP-MPR-Sec 34
» Diminui correlação entre a keystream e a chave de cifragem
34
WNP-MPR-Sec 35
35
IV / KeyID 4octets Extented IV 4 octets Data >=0 octets MIC 8 octets 802.11 Header Encrypted Authenticated Authenticated
IV / KeyID 4octets Extented IV 4 octets Data >=0 octets MIC 8 octets 802.11 Header ICV 4 octets Authenticated Authenticated
Encrypted
IV / KeyID 4octets Data >=0 octets 802.11 Header ICV 4 octets Authenticated
Encrypted
WNP-MPR-Sec 36
♦ ICV = CRC32 not really a signature ♦ MIC signature/hash
36
WNP-MPR-Sec 37
WNP-MPR-Sec 38
♦ Security services
» access control/authentication
– user èSIM (Subscriber Identity Module)èsecret PIN (Personal Identification Number) – SIM è contains Ki (subscriber secret authentication key)
» confidentiality
voice and signaling encrypted on the wireless link (after authentication)
» anonymity
– TMSI - Temporary Mobile Subscriber Identity – newly assigned at each new location update – encrypted transmission
♦ 3 algorithms specified in GSM
» A3 for authentication » A5 for encryption » A8 for key generation
WNP-MPR-Sec 39
A3 RAND Ki 128 bit 128 bit SRES* 32 bit A3 RAND Ki 128 bit 128 bit SRES 32 bit SRES* =? SRES SRES RAND SRES 32 bit mobile network SIM AuC MSC SIM
Ki: individual subscriber authentication key SRES: signed response
WNP-MPR-Sec 40
A8 RAND Ki 128 bit 128 bit Kc 64 bit A8 RAND Ki 128 bit 128 bit SRES RAND encrypted data mobile network (BTS) MS with SIM AuC BTS SIM A5 Kc 64 bit A5 MS data data cipher key
WNP-MPR-Sec 41
WNP-MPR-Sec 42
♦ Authentication of the MS by the network ♦ User identity anonymity
» Temporary identification, ciphering
♦ Data and signalling confidentiality
» Ciphering
♦ In UMTS (Iu mode)
» also authentication of the network by the MS
WNP-MPR-Sec 43
♦ Two types of authentication
» GSM authentication » UMTS authentication » Independent of the RAN modes
♦ GSM authentication
» Based on SIM » Authentication of the MS by the network » Establishment of GSM ciphering key (Kc) between the SGSN and the MS
♦ UMTS authentication
» Based on USIM » Requires authentication quintets » Implies mutual authentication » Agreement between SGSN and MS on
Ciphering Key (CK) and Integrity Key (IK)
WNP-MPR-Sec 44
» sends Authentication-Ciphering(RAND, CKSN, Ciphering Algorithm)
» MS responds with Ciphering-Response (SRES) ♦ GPRS: MS starts ciphering after sending Response message ♦ UMTS: SGSN / MS shall generate CK and IK from the GSM Kc
MS RAN HLR SGSN
WNP-MPR-Sec 45
MS VLR/SGSN HE/HLR Generate authentication vectors AV(1..n) Store authentication vectors Select authentication vector AV(i) Authentication data request Authentication data response AV(1..n) User authentication request RAND(i) || AUTN(i) User authentication response RES(i) Compare RES(i) and XRES(i) Verify AUTN(i) Compute RES(i) Compute CK(i) and IK(i) Select CK(i) and IK(i) Authentication and key establishment Distribution of authentication vectors from HE to SN
WNP-MPR-Sec 46
K SQN RAND f1 f2 f3 f4 f5 MAC XRES CK IK AK AUTN := SQN ⊕ AK || AMF || MAC AV := RAND || XRES || CK || IK || AUTN Generate SQN Generate RAND AMF
WNP-MPR-Sec 47
K SQN RAND f1 f2 f3 f4 f5 XMAC RES CK IK AK SQN ⊕ AK AMF MAC AUTN Verify MAC = XMAC Verify that SQN is in the correct range ⊕
WNP-MPR-Sec 48
♦ Ciphering Algorithm
» A/Gb mode: GPRS Encryption Algorithm (GEA)
– Kc is an input to the algorithm
» Iu mode: UMTS Encryption Algorithm (UEA)
– CK is an input to the algorithm MS BSS/UTRAN SGSN Scope of GPRS ciphering Scope of UMTS ciphering
WNP-MPR-Sec 49 Release 99+ VLR/SGSN Release 98- VLR/SGSN Release 99+
HLR/AuC
USIM
RAND AUTN RES CK IK CK, IK Kc
UTRAN
ME capable of UMTS AKA
RAND AUTN RES [Kc] CK, IK Kc
GSM BSS
CK, IK Kc RES SRES CK, IK Kc
ME not capable of UMTS AKA
CK, IK Kc CK, IK Kc RES SRES RAND [AUTN] SRES [Kc] Kc RAND SRES [Kc] Kc
ME
CK, IK Kc RES SRES Quintets Triplets CK, IK Kc RES SRES
UMTS security GSM security
CK, IK Kc