VARNOST V BREZ - PowerPoint PPT Presentation

Loading...

PPT – VARNOST V BREZ PowerPoint presentation | free to download - id: 4a48af-NGM1N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

VARNOST V BREZ

Description:

VARNOST V BREZ I NIH OMRE JIH Review of Wireless Security Kruno Kisi ek, CISM Februar, 2007 Contents: Introduction - Wireless Landscape (Wireless technologies ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 88
Provided by: KrunoK5
Learn more at: http://www.isaca.si
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: VARNOST V BREZ


1
VARNOST V BREZŽICNIH OMREŽJIHReview of Wireless
Security
  • Kruno Kisicek, CISM
  • Februar, 2007

2
Contents
  • Introduction - Wireless Landscape (Wireless
    technologies, Architectural Models, Components,
    Security Framework,..
  • Comprehensive Review of 802.11(i) Wireless LAN
    Security
  • Review of GSM/UMTS Wireless Security
  • Review of WiMAX Wireless Security
  • Summary

3
Background Wireless Landscape
High-Speed Connectivity Hierarchy of Networks
Low Cost Complexity
Personal Area Network
Fixed Broadband Wireless (e.g.802.16) Cellular
Mobile Networks (e.g. GPRS,3G)
High Cost Complexity
Increasing Coverage Area
4
Background Wireless Technologies
WAN (Wide Area Network)
MAN (Metropolitan Area Network)
LAN (Local Area Network)
PAN (Personal Area Network)
PAN LAN MAN WAN
Standards Bluetooth, UWB 802.11 HiperLAN2 802.16 MMDS, LMDS GSM, GPRS, CDMA, 2.5-3G, HSDPA 802.16e
Speed lt 1Mbps 11 to 54 Mbps 11 to 100 Mbps 10 Kbps 100Mbps
Range Short Medium Medium-Long Long
Applications Peer-to-Peer Device-to-Device Enterprise networks T1 replacement, last mile access PDAs, Mobile Phones, cellular access
5
Comparing Technologies
802.11WiFi 802.16WiMAX 802.20Mobile-FI UMTS3G
Bandwidth 11-54 Mbps shared Share up to 70 Mbps Up to 1.5 Mbps each 384 Kbps 2 Mbps
Range (LOS)Range (NLOS) 100 meters 30 meters 30 50 km 2 - 5 km (07) 3 8 km Coverage is overlaid on wireless infrastructure
Mobility Portable Fixed (Mobile - 16e) Full mobility Full mobility
Frequency/Spectrum 2.4 GHz for 802.11b/g 5.2 GHz for 802.11a 2-11 GHz for 802.16a 11-60 GHz for 802.16 lt3.5 GHz Existing wireless spectrum
Licensing Unlicensed Both Licensed Licensed
Standardization 802.11a, b and g standardized 802.16, 802.16a and 802.16 REVd standardized, other under development 802.20 in development Part of GSM standard
Availability In market today In market today Standards coming Product late 06 (???) Widely
6
Potential Services
802.11 WiFi 802.16 WiMAX 802.20 Mobile-FI UMTS 3G
VoIP Limited, QoS concerns Limited, QoS concerns Limited, QoS concerns Yes
Video Yes, in home Possible, QoS concerns No Possible, via HSDPA
Data/Internet Yes Yes Yes Yes
WLAN Yes, small scale Yes, large scale No No
Security WEP 802.11i Developing WEP None (today) A3/A5/A8/..
QoS 802.11e 802.16b None (today) Limited
7
IEEE 802.11 Standards - Wireless Fidelity
(Wi-Fi)
802.11n
Release Date Op. Frequency Data Rate (Typ) Data Rate (Max) Range (Indoor)
January 2007 (Linksys) 2.4 GHz or 5 GHz 200 Mbit/s 540 Mbit/s 50 meters (165 ft)
8
IEEE 802.11 Network Components
  • IEEE 802.11 has two fundamental architectural
    components, as follows
  • Station (STA). A STA is a wireless endpoint
    device. Typical examples of STAs are laptop
    computers, personal digital assistants (PDA),
    mobile phones, and other consumer electronic
    devices with IEEE 802.11 capabilities.
  • Access Point (AP). An AP logically connects
    STAs with a distribution system (DS), which is
    typically an organizations wired infrastructure.
    APs can also logically connect wireless STAs with
    each other without accessing a distribution
    system.

9
IEEE 802.11 Architectural Models
10
Overview of IEEE 802.11 Security
  • The most common security objectives for WLANs are
    as follows
  • Confidentialityensure that communication cannot
    be read by unauthorized parties
  • Integritydetect any intentional or
    unintentional changes to data that occur in
    transit
  • Availabilityensure that devices and individuals
    can access a network and its resources whenever
    needed
  • Access Controlrestrict the rights of devices or
    individuals to access a network or resources
    within a network.

11
Major Threats against LAN Security
12
Taxonomy for Pre-RSN and RSN Security
13
802.11 Station Authentication
1. Client broadcasts a probe request frame on
every channel 2. Access points within range
respond with a probe response frame 3. The client
decides which access point (AP) is the best for
access and sends an authentication request 4.
The access point will send an authentication
reply 5. Upon successful authentication, the
client will send an association request frame
to the access point 6. The access point will
reply with an association response 7. The client
is now able to pass traffic to the access point
14
Probe Request Frame
15
Access Control and Authentication
  • The original IEEE 802.11 specification defines
    two means to validate the identities of wireless
    devices attempting to gain access to a WLAN
  • open system authentication and
  • shared key authentication.

16
Open system authentication
  • Open system authentication is effectively a null
    authentication mechanism that does not provide
    true identity verification. In practice, a STA is
    authenticated to an AP simply by providing the
    following information
  • Service Set Identifier (SSID) for the AP. The
    SSID is a name assigned to a WLAN it allows STAs
    to distinguish one WLAN from another. SSIDs are
    broadcast in plaintext in wireless
    communications, so an eavesdropper can easily
    learn the SSID for a WLAN.
  • Media Access Control (MAC) address for the STA.
    Many implementations of IEEE 802.11 allow
    administrators to specify a list of authorized
    MAC addresses the AP will permit devices with
    those MAC addresses only to use the WLAN. This is
    known as MAC address filtering. Unfortunately,
    almost all WLAN adapters allow applications to
    set the MAC address, so it is relatively trivial
    to spoof a MAC address, meaning attackers can
    gain unauthorized access easily.

17
Open Authentication with Differing WEP Keys
18
Shared key authentication
  • As the name implies, shared key authentication is
    based on a secret cryptographic key known as a
    Wired Equivalent Privacy (WEP) key this key is
    shared by legitimate STAs and APs.

19
Shared key authentication
  • Shared key authentication is still weak because
  • AP is not authenticated to the STA, so there is
    no assurance that the STA is communicating with a
    legitimate AP
  • Challenge-response process can be compromised by
    methods such as man-in-the-middle attacks and
    off-line brute force or dictionary attacks.
  • All devices on a WLAN use the same WEP key or the
    same small set of keys
  • Does not specify any support for key management.

20
Encryption
  • The WEP protocol, part of the IEEE 802.11
    standard, uses the RC4 stream cipher algorithm to
    encrypt wireless communications, which protects
    their contents from disclosure to eavesdroppers.
  • The standard for WEP specifies support for a
    40-bit WEP key only however, many vendors offer
    non-standard extensions to WEP that support key
    lengths of up to 104 bits.
  • WEP also uses a 24-bit value known as an
    initialization vector (IV) as a seed value for
    initializing the cryptographic key stream. For
    example, a 104-bit WEP key with a 24-bit IV
    becomes a 128-bit RC4 key.

21
WEP Encryption and Its Weaknesses
  • With ECB (Electronic Code Book) mode encryption,
    the same plain-text input always generates the
    same cipher-text output.
  • There are two encryption techniques to overcome
    this issue
  • Initialization vectors
  • Feedback modes
  • An initialization vector (IV) is used to alter
    the key stream. The IV is a numeric value that is
    concatenated to the base key before the key
    stream is generated. Every time the IV changes,
    so does the key stream.
  • Feedback modes are generally used with block
    ciphers, and the most common feedback mode is
    known as cipher block chaining (CBC) mode.

22
WEP Privacy Using RC4 Algorithm
23
Encryption
  • Most attacks against WEP encryption have been
    based on IV-related vulnerabilities. For example,
    the IV portion of the RC4 key is sent in
    cleartext, which allows an eavesdropper that
    monitors and analyzes a relatively small amount
    of network traffic to recover the key by taking
    advantage of the IV value knowledge, the
    relatively small 24-bit IV key space, and a
    weakness in the way WEP implements the RC4
    algorithm.

24
Vulnerability of Shared Key Authentication
25
Initialization Vector Replay Attacks
  • A known plain-text message is sent to an
    observable wireless LAN client (an e-mail
    message)
  • The network attacker will sniff the wireless LAN
    looking for the predicted cipher text
  • The network attacker will find the known frame
    and derive the key stream
  • The network attacker can grow the key stream
    using the same IV/WEP key pair as the observed
    frame
  • This attack is based on the knowledge that
    the IV and base WEP key can be reused or replayed
    repeatedly to generate a key stream large enough
    to subvert the network.

26
Initialization Vector Replay Attacks
  • The network attacker can build a frame one byte
    larger than the known key stream size an
    Internet Control Message Protocol (ICMP) echo
    frame is ideal because the access point solicits
    a response
  • The network attacker then augments the key stream
    by one byte
  • The additional byte is guessed because only 256
    possible values are possible
  • When the network attacker guesses the correct
    value, the expected response is received in this
    example, the ICMP echo reply message
  • The process is repeated until the desired key
    stream length is obtained

27
Bit-Flipping Attack
28
Bit-Flipping Attack
29
CBC Mode Block Cipher
30
VPN WLAN Design
31
WEP Cracking Tools
  • Airsnort (airsnort.schmoo.com)
  • WepAttack (wepattack.sourcefourge.net)
  • WEPCrack (sourceforge.net/projects/wepcrack)
  • Weplab (sourceforge.net/projects/weplab)
  • Aircrack (www.aircrack-ng.org)

32
Typical Security Incidents
  • Unauthorized association and snooping
  • Access Point Intrusion
  • Intrusion attempts (WLAN and Wired Network)
  • Loss of confidential data
  • Data Capture and Replay Attacks
  • Bandwidth Theft
  • Unauthorized Rogue Access Points
  • Wireless clients associate with wrong access
    point (Fake Access Points)

33
Step 1 Security Policy Review
  • Wireless LAN treated as external network
  • Approval for wireless infrastructure and clients
  • Security Architecture and Design Review
  • Access Point Configuration Standards
  • Authentication and Encryption Baseline
  • Logging, Monitoring, Intrusion Detection
  • Wireless Vulnerability Assessment

34
Step 2 Architecture Assessment
  • Security Architecture and Design
  • Network segmentation control (firewall)
  • Secure configuration of Access Points
  • VPN (IPsec or SSL)
  • Authentication of wireless clients
  • Encryption of wireless traffic
  • Logging, and monitoring wireless security logs

35
Step 3 Risk Assessment
  • Document Wireless Architecture,
    Components,Security Configuration
  • Threat Assessment
  • Vulnerability Assessment
  • Controls Assessment
  • Assess Risk
  • Control Recommendations

36
Vulnerability Assessment
  • Wireless Assessment Toolkit
  • Linux-based toolkits
  • Knoppix (knoppix.net)
  • Nmap Nessus (testing from wired LAN)
  • Tools
  • Network Discovery
  • WEP/WPA Cracking Tools
  • Packet Capture Tools
  • Known exploit code

37
Network Discovery
  • Laptop / PDA
  • Wireless network card
  • Network Discovery Tools
  • Kismet
  • NetStumbler
  • Ministumbler
  • Antenna
  • GPS Unit

38
Rogue Access Pointdetection
  • Tools / Solutions
  • Airmagnet (www.airmagnet.com)
  • Retina WiFi Scanner (www.eeye.com)
  • Kismet (www.kismetwireless.net)
  • Pocketwarrior (www.pocketwarrior.org)
  • WiFiFoFum (www.aspecto-software.com)

39
Step 4 AP Configuration Review
  • Access Point Configuration
  • telnet, http, snmp
  • default authentication
  • SSID Configuration
  • Authentication Encryption Setup
  • Logging Enabled

40
Step 5 Authentication Encryption
  • WPA
  • Subset of 802.11i
  • ConfidentialityTKIP
  • Authentication - Per-user or Pre-shared key
  • Integrity Mechanisms
  • 802.11i (WPA2)
  • Addresses the main problems of WEP and Shared-Key
    Authentication
  • Temporal Key Integrity Protocol (TKIP)
  • Message Integrity Control Michael
  • AES Encryption replacement for RC4
  • 802.1x
  • Framework to control port access between devices,
    AP, and servers
  • Not specific to 802.11 networks
  • Uses dynamic keys instead of the WEP
    authentication static key

41
Wi-Fi Alliance Certification Programs
  • The Wi-Fi Alliance began conducting
    interoperability testing in April 2000 and has
    since awarded its Wi-Fi CERTIFIED label to over
    2,500 WLAN products. Product categories include
    access points and a wide variety of clients.
  • Three basic types of certifications radio
    standards, network security, and multimedia
    content support.
  • The Wi-Fi Alliance also manages a licensing
    program for Wi-Fi providers called Wi-Fi Zone.
    Organizations participating in the program agree
    to use Wi-Fi CERTIFIEDTM products only and adhere
    to certain service standards.

42
Wi-Fi Alliance
  • The Wi-Fi Alliance introduced WPA in early 2003
    to address serious vulnerabilities inherent in
    WEP, which was the only available IEEE 802.11
    security protection at that time. WPA is
    essentially a subset of IEEE 802.11i that
    provides a solution to WEPs major problems. To
    accomplish this protection, WPA leverages the
    following core security features from IEEE
    802.11i
  • IEEE 802.1X and EAP authentication
  • Key generation and distribution based on the IEEE
    802.11i 4-Way Handshake
  • TKIP mechanisms including
  • Encapsulation and decapsulation
  • Replay protection
  • Michael MIC integrity protection.

43
Brief Overview of IEEE 802.11i Security
  • IEEE 802.11i references the Extensible
    Authentication Protocol (EAP) standard, which is
    a means for providing mutual authentication
    between STAs and the WLAN infrastructure, as well
    as performing automatic cryptographic key
    distribution.
  • IEEE 802.11i also uses some techniques derived
    from the Internet Protocol Security (IPsec)
    standard, such as generating cryptographic
    checksums through hash message authentication
    codes (HMAC).

44
802.1X Layers
EAP SIMGSM SIM Authentication
45
802.1X Ports
  • 802.1X requires three entities
  • The supplicantResides on the wireless LAN
    client
  • The authenticatorResides on the access point
  • The authentication serverResides on the RADIUS
    server
  • IEEE 802.1X defines IEEE 802 encapsulation of EAP
    messages
  • EAP over LAN (EAPOL) messages

46
802.1X and EAP Message Flow
47
EAP
  • EAP supports a wide variety of authentication
    methods (rfc3748), also called EAP methods. These
    methods include authentication based on
    passwords, certificates, smart cards, and tokens.
  • EAP methods can also include combinations of
    authentication techniques, such as a certificate
    followed by a password, or the option of using
    either a smart card or a token.

48
EAP methods
  • The current WPA/WPA2 certified EAP methods are
  • EAP-TLS (originally certified protocol)
  • EAP-TTLS/MSCHAPv2
  • PEAPv0/EAP-MSCHAPv2
  • PEAPv1/EAP-GTC
  • EAP-SIM

49
Pairwise Key Hierarchy
50
Summary of Data Confidentiality and Integrity
Protocols
51
The EAP Cisco Authentication Algorithm
  • Mutual Authentication
  • User-Based Authentication
  • Dynamic WEP Keys
  • Data Privacy with TKIP
  • A message integrity check (MIC) function on all
    WEP-encrypted data frames
  • Initialization vector/base key reuseThe MIC adds
    a sequence number field to the wireless frame.
    The access point will drop frames received out of
    order.
  • Frame tampering/bit flippingThe MIC feature adds
    a MIC field to the wireless frame. The MIC field
    provides a frame integrity check not vulnerable
    to the same mathematical shortcomings as the ICV.
  • Per-packet keying on all WEP-encrypted data
    frames

52
Per-packet keying
Cisco LEAP - password-based algorithm.
53
EAP-TLS Authentication Process
54
EAP Transport Layer Security
  • TLS comprises three protocols
  • Handshake protocolThe handshake protocol
    negotiates the parameters for the SSL session.
    The SSL client and server negotiate the protocol
    version, encryption algorithms, authenticate each
    another, and derive encryption keys.
  • Record protocolThe record protocol facilitates
    encrypted exchanges between the SSL client and
    the server. The negotiated encryption scheme and
    encryption keys are used to provide a secure
    tunnel for application data between the SSL
    endpoints.
  • Alert protocolThe alert protocol is the
    mechanism used to notify the SSL client or server
    of errors as well as session termination.

55
Protected EAP
  • Protected EAP (PEAP), is EAP authentication type
    that is designed to allow hybrid authentication.
  • PEAP employs server-side PKI authentication. For
    client-side authentication, PEAP can use any
    other EAP authentication type.
  • Because PEAP establishes a secure tunnel via
    server-side authentication, non-mutually
    authenticating EAP types can be used for
    client-side authentication, such as EAP generic
    token card (GTC) for one-time passwords (OTP),
    and EAP MD5 for password based authentication.
  • PEAP is based on server-side EAP-TLS, and it
    addresses the manageability and scalability
    shortcomings of EAP-TLS.
  • Organizations can avoid the issues associated
    with installing digital certificates on every
    client machine as required by EAP-TLS and select
    the method of client authentication that best
    suits them.

56
Protected EAP
57
EAP SIM Architecture
  • EAP SIM authentication is based on the
    authentication and encryption algorithms stored
    on the Global System for Mobile
  • Communications (GSM) SIM, which is a Smartcard
    designed according to the specific requirements
    detailed in the GSM
  • standards.
  • GSM authentication is based on a
    challenge-response mechanism and employs a shared
    secret key, Ki, which is stored on the SIM and
    otherwise known only to the GSM operators
    Authentication Center (AuC).
  • When a GSM SIM is given a 128-bit random
    number (RAND) as a challenge, it calculates a
    32-bit response (SRES) and a 64-bit encryption
    key (Kc) using an operator-specific confidential
    algorithm. In GSM systems, Kc is used to encrypt
    mobile phone conversations over the air
    interface.

58
EAP SIM Authentication
59
UMTS system architecture (R99)

60
UMTS and GSM Security objectives
  • Problems with GSM Security
  • Weak authentication and encryption algorithms
    (COMP128has a weakness allowing user
    impersonation A5 can bebroken to revealthe
    cipher key)
  • Short key length (32 bits)
  • No data integrity (allows certain denial of
    service attacks)
  • No network authentication (false base station
    attack possible)
  • Limited encryption scope (Encryption terminated
    at the base station, in clear on microwave
    links)
  • Insecure key transmission (Cipher keys and
    authenticationparameters are transmitted in
    clear between and withinnetworks)

61
3G Security Features
  • Mutual Authentication
  • The mobile user and the serving network
    authenticate each other
  • Data Integrity
  • Signaling messages between the mobile station and
    RNC protected by integrity code
  • Network to Network Security
  • Secure communication between serving networks.
    IPsec suggested
  • Wider Security Scope
  • Security is based within the RNC rather than the
    base station
  • Secure IMSI (International Mobile Subscriber
    Identity) Usage
  • The user is assigned a temporary IMSI by the
    serving network

62
3G Security Features
  • User Mobile Station Authentication
  • The user and the mobile station share a secret
    key, PIN
  • Secure Services
  • Protect against misuse of services provided by
    the home network and the serving network
  • Secure Applications
  • Provide security for applications resident on
    mobile station
  • Fraud Detection
  • Mechanisms to combating fraud in roaming
    situations
  • Flexibility
  • Security features can be extended and enhanced as
    required by new threats and services

63
3G Security Features
  • Visibility and Configurability
  • Users are notified whether security is on and
    what level of security is available
  • Multiple Cipher and Integrity Algorithms
  • The user and the network negotiate and agree on
    chipher and integrity algorithms. At least one
    encryption algorithm exported on world-wide
    basis (KASUMI)
  • Lawful Interception
  • Mechanisms to provide authorized agencies with
    certain information about subscribers
  • GSM Compatibility
  • GSM subscribers roaming in 3G network are
    supported by GSM security context (vulnerable to
    false base station)

64
Authentication and Key Agreement
65
Encryption
  • Signaling and user data protected from
    eavesdropping. Secret key, block cipher algorithm
    (KASUMI) uses 128 bit cipher key.
  • At the mobile station and RNC (radio network
    controller)

66
Integrity Check
  • Integrity and authentication of origin of
    signalling data provided. The integrity algorithm
    (KASUMI) uses 128 bit key and generates 64 bit
    message authentication code.
  • At the mobile station and RNC (radio network
    controller)

67
WiMAX Overview
  • Complement the existing last mile wired networks
    (i.e. xDSL, cable modem)
  • Fast deployment, cost saving
  • High speed data, voice and video services
  • Fixed BWA, Mobile BWA

68
WiMAX Applications
69
Benefits of WiMAX
  • Speed
  • Faster than broadband service
  • Wireless
  • Not having to lay cables reduces cost
  • Easier to extend to suburban and rural areas
  • Broad coverage
  • Much wider coverage than WiFi hotspots

70
Security Issues
  • Provides subscribers with privacy across the
    fixed broadband wireless network
  • Protect against unauthorized access to the data
    transport services
  • Encrypt the associated service flows across the
    network.
  • Implemented by encrypting connections between SS
    and BS
  • Security mechanisms
  • Authentication
  • Access control
  • Message encryption
  • Message modification detection (Integrity)
  • Message replay protection
  • Key management
  • Key generation, key transport, key protection,
    Key derivation, Key usage

71
Security Association
  • Data SA
  • 16-bit SA identifier
  • Cipher to protect data DES-CBC
  • 2 TEK
  • TEK key identifier (2-bit)
  • TEK lifetime
  • 64-bit IV
  • Authorization SA
  • X.509 certificate ? SS
  • 160-bit authorization key (AK)
  • 4-bit AK identification tag
  • Lifetime of AK
  • KEK for distribution of TEK
  • Truncate-128(SHA1(((AK 044) xor 5364)
  • Downlink HMAC key
  • SHA1((AK044) xor 3A64)
  • Uplink HMAC key
  • SHA1((AK044) xor 5C64)
  • A list of authorized data SAs

72
IEEE 802.16 Security Process
73
Authentication
SS ?BS Cert(Manufacturer(SS)) SS ?BS Cert(SS)
Capabilities SAID BS ?SS RSA-Encrypt(PubKey(SS)
, AK) Lifetime SeqNo SAIDList
74
Key Derivation
  • KEK Truncate-128(SHA1(((AK 044) xor 5364)
  • Downlink HMAC key SHA1((AK044) xor 3A64)
  • Uplink HMAC key SHA1((AK044) xor 5C64)

75
Data Key Exchange
76
Data Key Exchange
  • Traffic Encryption Key (TEK)
  • TEK is generated by BS randomly
  • TEK is encrypted with
  • Triple-DES (use 128 bits KEK)
  • RSA (use SSs public key)
  • AES (use 128 bits KEK)
  • Key Exchange message is authenticated by
    HMAC-SHA1 (provides Message Integrity and AK
    confirmation)

77
Data Encryption
78
Data Encryption
  • Encrypt only data message not management message
  • DES in CBC Mode
  • 56 bit DES key (TEK)
  • No Message Integrity Detection
  • No Replay Protection

79
Key Management
  • Message 1
  • BS ?SS SeqNo SAID HMAC(1)
  • Message 2
  • SS ?BS SeqNo SAID HMAC(2)
  • Message 3
  • BS ?SS SeqNo SAID OldTEK NewTEK HMAC(3)
  • M1 to rekey a data SA, or create a new SA
  • TEK encrypted with Triple-DES-ECB

80
IEEE 802.16 Security Flaws
  • Lack of Explicit Definitions
  • Authorization SA not explicitly defined
  • SA instances not distinguished open to replay
    attacks
  • Solution Need to add nonces from BS and SS to
    the authorization SA
  • Data SA treats 2-bit key as circular buffer
  • Attacker can interject reused TEKs
  • SAID 2 bits ? at least 12 bits (AK lasts 70 days
    while TEK lasts for 30 minutes)
  • TEKs need expiration due to DES-CBC mode
  • Determine the period 802.16 can safely produce
    232 64-bit blocks only.

81
IEEE 802.16 Security Flaws
  • Need for mutual authentication
  • Authentication is one way
  • BS authenticates SS
  • No way for SS to authenticate BS
  • Rouge BS ? possible because all information's are
    public
  • Possible enhancement BS certificate
  • SS?BS Cert (Manufacturer)
  • SS?BS SS-Rand Cert(SS) Capabilities SAID
  • BS?SS BS-Rand SS-Rand E(Pub(SS),AK)
    Lifetime Seq No SAID Cert (BS) Sig (BS)

82
IEEE 802.16 Security Flaws
  • Authentication Key (AK) generation
  • BS generates AK
  • No contribution from SS
  • SS must trust BS for the generation of AK
  • AK HMAC-SHA1(contribution from SS contribution
    from BS)
  • AK HMAC-SHA1(pre-AK, SS-Random BS-Random
    SS-MAC-Addr BS-MAC-Addr 160)

83
IEEE 802.16 Security Flaws
  • Key management
  • TEK sequence space (2-bit sequence )
  • Replay attack can force reuse of TEK/IV
  • Increase it to 12-bit
  • No specification on the generation of TEK and
    therefore TEKs are random
  • No TEK freshness assurance
  • Message 1
  • BS ? SS SS-Random BS-Random SeqNo12 SAID
    HMAC(1)
  • Message 2
  • SS ? BS SS-Random BS-Random SeqNo12 SAID
    HMAC(2)
  • Message 3
  • BS ?SS SS-Random BS-Random SeqNo12 SAID
    OldTEK NewTEK HMAC(3)
  • Not transmit TEK, generate TEK
  • TEK HMAC-SHA1(pre-TEK, SS-Random BS-Random
    SS-MAC-Addr BS-MAC-Addr SeqNo12 160)
  • SS-Random BS-Random is used as an instance
    identifier

84
IEEE 802.16 Security Flaws
  • Alternative Cryptographic Suite
  • IEEE 802.16 used DES-CBC
  • DES uses 64 bit block size
  • According to studies a CBC mode using block
    cipher with n-bit block loses its security after
    operating on 2n/2 blocks with the same
    encryption key.
  • So IEEE 802.16 can safely produce 232 64-bit
    blocks.
  • Also IV used in DES-CBC are predictable.
  • Use AES-CCM as encryption primitive
  • 128 bit key (TEK)
  • HMAC-SHA1
  • Replay Protection using Packet Number

85
IEEE 802.16 Security Flaws
  • Data protection errors
  • 56-bit DES does not offer strong data
    confidentiality
  • Forgeries or replies (WEP-like vulnerability)
  • Writes are not prevented, read-protects only
  • even w/o encryption key
  • Uses a PREDICTABLE initialization vector (while
    DES-CBC requires a random IV)
  • IV is the xor of the IV in SA and the PHY
    synchronization field from the most recent GMH
  • Generates each per-frame IV randomly and inserts
    into the payload.
  • Though increases overhead, no other choice.

86
IEEE 802.16 Security Flaws
  • No data Authentication
  • Encryption only prevents reading but any one
    without key can write (change the message).
  • Strong MAC needs to be included in the message

87
References
  • Wireless Security Reference Site
  • www.wardrive.net
  • Wireless Security Policies
  • www.sans.org/resources/policies
  • NIST Wireless Network Security (includes wireless
    security checklist)
  • csrc.nist.gov/publications/drafts/draft-sp800-97.p
    df
  • Wireless Security Checklists
  • www.cisecurity.org
  • www.sans.org/score/
About PowerShow.com