Beruflich Dokumente
Kultur Dokumente
in Wireless Networks
http://secowinet.epfl.ch/
broadcast communications
wireless usually means radio, which has a broadcast nature
transmissions can be overheard by anyone in range
anyone can generate transmissions,
which will be received by other devices in range
which will interfere with other nearby transmissions and may prevent their correct
reception (jamming)
eavesdropping is easy
injecting bogus messages into the network is easy
replaying previously recorded messages is easy
illegitimate access to the network and its services is easy
denial of service is easily achieved by jamming
2/60
authenticity
replay detection
integrity
access control
3/60
Chapter outline
1.3.1 Cellular networks
1.3.2 WiFi LANs
1.3.3 Bluetooth
4/60
GSM Security
main security requirement
subscriber authentication (for the sake of billing)
challenge-response protocol
long-term secret key shared between the subscriber and the home
network operator
supports roaming without revealing long-term key to the visited networks
5/60
Must be tamper-resistant
Protected by a PIN code (checked locally by the SIM)
Is removable from the terminal
Contains all data specific to the end user which have to
reside in the Mobile Station:
IMSI: International Mobile Subscriber Identity (permanent users
identity)
PIN
TMSI (Temporary Mobile Subscriber Identity)
Ki : Users secret key
Kc : Ciphering key
List of the last call attempts
List of preferred operators
Supplementary service data (abbreviated dialing, last short messages
received,...)
6/60
Ki
A3
A8
Kc
Authentication
A5
Triplet
Ciphering algorithm
7/60
Visited network
Home network
Ki
IMSI/TMSI
IMSI (or TMSI)
IMSI
Triplets (Kc, R, S)
Authenticate (R)
Ki
A8
A3
Kc
Triplets
A8
A3
Kc
Auth-ack(S)
S=S?
1.3.1 Cellular networks
GSM security
8/60
Ciphering in GSM
PLAINTEXT
SEQUENCE
FRAME NUMBER
Kc
FRAME NUMBER
Kc
A5
A5
CIPHERING
SEQUENCE
CIPHERING
SEQUENCE
CIPHERTEXT
SEQUENCE
Sender
(Mobile Station or Network)
PLAINTEXT
SEQUENCE
Receiver
(Network or Mobile Station)
9/60
10/60
11/60
12/60
Authentication in 3GPP
Mobile Station
Visited Network
Home Environment
Sequence number (SQN) RAND(i)
K: Users
secret key
Generation of
cryptographic material
Authentication vectors
RAND(i ) || AUTN (i )
Verify AUTN(i)
Compute RES(i)
User authentication response RES(i)
Compare RES(i)
and XRES(i)
K
Compute CK(i)
and IK(i)
Select CK(i)
and IK(i)
1.3.1 Cellular networks
UMTS security
13/60
f2
f3
f4
f5
MAC (Message
Authentication
Code)
XRES
(Expected
Result)
CK
(Cipher
Key)
IK
(Integrity
Key)
AK
(Anonymity
Key)
14/60
RAND
SQN ! AK
AMF
MAC
f5
AK
!
SQN
K
f1
f2
f3
f4
XMAC
(Expected MAC)
RES
(Result)
CK
(Cipher
Key)
IK
(Integrity
Key)
15/60
16/60
OP
OPc
OPc
EK
EK
OPc
OPc
OPc
rotate
by r1
rotate
by r2
c1
c2
EK
f1
rotate
by r3
c3
EK
f1*
f5
rotate
by r4
EK
f2
rotate
by r5
c5
EK
OPc
f3
OPc
c4
OPc
OPc
OPc
OPc
EK
OPc
f4
f5*
17/60
SIGNALLING MESSAGE
FRESH
FRESH
COUNT-I
IK
COUNT-I
DIRECTION
f9
IK
DIRECTION
f9
MAC-I
XMAC-I
Sender
(Mobile Station or
Radio Network Controller)
Receiver
(Radio Network Controller
or Mobile Station)
FRESH: random input
18/60
Ciphering method
LENGTH
BEARER
COUNT-C
CK
COUNT-C
DIRECTION
CK
f8
DIRECTION
f8
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
LENGTH
BEARER
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
Sender
(Mobile Station or
Radio Network Controller)
PLAINTEXT
BLOCK
Receiver
(Radio Network Controller
or Mobile Station)
BEARER: radio bearer identifier
COUNT-C: ciphering sequence counter
1.3.1 Cellular networks
UMTS security
19/60
CK
KM
KASUMI
Register
BLKCNT=0
BLKCNT=1
CK
CK
KASUMI
KS[0]KS[63]
BLKCNT=2
KASUMI
CK
BLKCNT=BLOCKS-1
KASUMI
CK
KASUMI
KS[64]KS[127] KS[128]KS[191]
20/60
Details of Kasumi
L0
32
R0
32
64
KL1
FL1
FO1
KO2 , KI2
KL3
FO3
KO4, KI4
FO6
FL7
FO8
L8
Zero-extend
FIi2
KO3 , KI3
S7
KOi,2
FO5
truncate
KIi,j,2
KIi,2
KIi,j,1
KL4
KO6 , KI6
KL7
S9
KIi,1
FL4
KL5
16
FL2
FO4
FL5
16
KOi,1
KL2
FO2
FL3
32
16
FIi1
KO1 , KI1
FIi3
S9
KOi,3
Zero-extend
KIi,3
KO5 , KI5
S7
truncate
KL6
FL6
FO7
KO8 , KI8
Fig. 2 : FO Function
KO7 , KI7
16
KL8
KLi,1
FL8
<<<
R8
Fig. 1 : KASUMI
Fig. 3 : FI Function
32
16
<<<
Bitwise AND operation
KLi,2
Bitwise OR operation
Fig. 4 : FL Function
21/60
22/60
Chapter outline
1.3.1 Cellular networks
1.3.2 WiFi LANs
1.3.3 Bluetooth
23/60
Introduction to WiFi
connected
scanning on
each channel
STA
association request
association response
AP
beacon
- MAC header
- timestamp
- beacon interval
- capability info
- SSID (network name)
- supported data rates
- radio parameters
- power slave flags
24/60
Introduction to WiFi
Internet
AP
25/60
services
access control to the network
message confidentiality
message integrity
26/60
27/60
reception is analogous
28/60
IV
RC4
secret key
encode
IV
message + ICV
decode
IV
RC4
secret key
message + ICV
K: pseudo-random sequence
Security and Cooperation in Wireless Networks
Chapter 1: The security of existing wireless networks
29/60
WEP Keys
two kinds of keys are allowed by the standard
default key (also called shared key, group key, multicast key, broadcast key,
key)
key mapping keys (also called individual key, per-station key, unique key)
id:X | key:abc
default key
id:Y | key:abc
id:Z | key:abc
id:X | key:def
id:Y | key:ghi
key:abc
id:Z | key:jkl
id:X | key:def
id:Y | key:ghi
id:Z | key:jkl
30/60
31/60
time
abc*
---
abc*
---
abc*
---
abc*
def
* active key
abc
def*
--def*
abc
def*
--def*
--def*
32/60
33/60
AP STA: r
STA AP: IV | r K
AP attacker: r
attacker AP: IV | r K
34/60
35/60
if several devices are switched on nearly at the same time, they all use the same
sequence of IVs
if they all use the same default key (which is the common case), then IV collisions
are readily available to an attacker
for some seed values (called weak keys), the beginning of the RC4 output is
not really random
if a weak key is used, then the first few bytes of the output reveals a lot of
information about the key breaking the key is made easier
for this reason, crypto experts suggest to always throw away the first 256
bytes of the RC4 output, but WEP doesnt do that
due to the use of IVs, eventually a weak key will be used, and the attacker
will know that, because the IV is sent in clear
WEP encryption can be broken by capturing a few million messages !!!
36/60
Example 2:
encrypting a message digest to obtain an ICV is a good principle
but it doesnt work if the message digest function is linear wrt to the encryption function
Using an expert in the design phase pays out (fixing the system after
deployment will be much more expensive)
experts will not guarantee that your system is 100% secure
but at least they know many pitfalls
they know the details of crypto algorithms
37/60
Overview of 802.11i
After the collapse of WEP, IEEE started to develop a new
security architecture 802.11i
Main novelties in 802.11i wrt to WEP
access control model is based on 802.1X
flexible authentication framework (based on EAP Extensible
Authentication Protocol)
authentication can be based on strong protocols (e.g., TLS
Transport Layer Security)
authentication process results in a shared session key (which
prevents session hijacking)
different functions (encryption, integrity) use different keys derived
from the session key using a one-way function
integrity protection is improved
encryption function is improved
Security and Cooperation in Wireless Networks
Chapter 1: The security of existing wireless networks
38/60
Overview of 802.11i
802.11i defines the concept of RSN (Robust Security Network)
integrity protection and encryption is based on AES (and not on RC4
anymore)
nice solution, but needs new hardware cannot be adopted immediately
Industrial names
TKIP WPA (WiFi Protected Access)
RSN/AES WPA2
39/60
authenticator system
services
port
authenticator
controls
LAN
40/60
41/60
EAP
EAP
EAP
EAP
used to carry EAP messages between the AP and the auth server
MS-MPPE-Recv-Key attribute is used to transport the session key from the
auth server to the AP
RADIUS is mandated by WPA and optional for RSN
42/60
EAP in action
STA
encapsulated in EAPOL
AP
auth server
encapsulated in RADIUS
EAP Request 1
EAP Request 1
EAP Response 1
EAP Response 1
...
...
EAPOL-Start
EAP Request n
EAP Request n
EAP Response n
EAP Response n
EAP Success
EAP Success
Security and Cooperation in Wireless Networks
Chapter 1: The security of existing wireless networks
43/60
EAP-SIM
developed by Cisco
similar to MS-CHAP extended with session key transport
44/60
802.11
mobile device
AP
auth server
45/60
Key hierarchies
random generation
in AP
802.1X authentication
key derivation
in STA and AP
key derivation
in AP
transport
to every STA
protection
protection
protection
46/60
Four-way handshake
objective:
prove that AP also knows the PMK (result of authentication)
exchange random values to be used in the generation of PTK
protocol:
AP : generate ANonce
AP STA : ANonce | KeyReplayCtr
STA : generate SNonce and compute PTK
STA AP : SNonce | KeyReplayCtr | MICKIK
AP : compute PTK, generate GTK, and verify MIC
AP STA : ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK
STA : verify MIC and install keys
STA AP : KeyReplayCtr+1 | MICKIK
AP : verify MIC and install keys
MICKIK : Message Integrity Code (computed by the mobile device using the key-integrity key)
KeyReplayCtr: used to prevent replay attacks
Security and Cooperation in Wireless Networks
Chapter 1: The security of existing wireless networks
47/60
for AES-CCMP
PRF-384( PMK,
Pairwise key expansion,
MAC1 | MAC2 | Nonce1 | Nonce2 ) =
= KEK | KIK | DE&IK
PRF-128( GMK,
Group key expansion,
MAC | GNonce ) =
= GE&IK
Security and Cooperation in Wireless Networks
Chapter 1: The security of existing wireless networks
48/60
TKIP
runs on old hardware (supporting RC4), but
WEP weaknesses are corrected
new message integrity protection mechanism called Michael
MIC value is added at SDU level before fragmentation into PDUs
implemented in the device driver (in software)
49/60
IV
upper lower
32 bits 16 bits
128 bits
key mix
(phase 1)
MAC address
dummy byte
key mix
(phase 2)
IV d IV
per-packet key
3x8 = 24 bits
104 bit
50/60
AES-CCMP
CBC-MAC
flag (8)
priority (8)
source address (48)
packet number (48)
data length (16)
final 128-bit block of CBC encryption is truncated to (upper) 64 bits to get the CBCMAC value
51/60
AES-CCMP
uses AES in CCMP mode (CTR mode and CBC-MAC)
needs new hardware that supports AES
Security and Cooperation in Wireless Networks
Chapter 1: The security of existing wireless networks
52/60
Chapter outline
1.3.1 Cellular networks
1.3.2 WiFi LANs
1.3.3 Bluetooth
53/60
Bluetooth
Short-range communications, master-slave principle
Eavesdropping is difficult:
Frequency hopping
Communication is over a few meters only
Security issues:
Authentication of the devices to each other
Confidential channel
1.3.3 Bluetooth
54/60
Bluetooth
When two devices communicate for the first time:
Set up the temporary initialization key.
1.3.3 Bluetooth
55/60
1.3.3 Bluetooth
56/60
Bluetooth
Setting up the link key:
Bluetooth
The authentication protocol:
1.3.3 Bluetooth
57/60
Bluetooth
Generation of the encryption key and the key stream:
1.3.3 Bluetooth
58/60
Weaknesses
The strength of the whole system is based on the strength of
the PIN:
PIN: 4-digit number, easy to try all 10000 possible values.
PIN can be cracked off-line.
many devices use the default PIN.
For memory-constrained devices: the link key = the longterm unit key of the device.
Fixed and unique device addresses: privacy problem.
Weaknesses in the E0 stream cipher.
1.3.3 Bluetooth
59/60
Conclusion
Security issues of wireless networks:
wireless channel: easy to eavesdrop on, jam, overuse
Users: usually mobile
Classical requirements:
authentication, confidentiality, integrity, availability
60/60