Lecture notes Wireless Networks

security and cooperation in wireless networks and cooperation in wireless networks principles and applications. and security in wireless networks issues and challenges pdf free download
BellaLloyd Profile Pic
Published Date:12-07-2017
Your Website URL(Optional)
SECURITY AND COOPERATION IN WIRELESS NETWORKS Thwarting Malicious and Sel¯sh Behavior in the Age of Ubiquitous Computing A GRADUATE TEXTBOOK Levente Butty¶an and Jean-Pierre Hubaux ISBN 9780521873710 D R A F T Version 1.5.1 July 27, 2007 This version has been developed in parallel with the copyediting process. The di®erence between this version (v1.5.1) and the previous v1.4 consists in several minor corrections, all of very limited scope. The copyright on this book is held by Cambridge University Press, who have kindly agreed to allow us to keep the book available on the Web until it is published. After publication, the whole book will still be downloadable but it will be print-protected. http://secowinet.ep°.ch1 The security of existing wireless networks Beforediscussingwirelessnetworks, itisnecessarytotakeabroadlookatnetworking in general and to see why malicious and sel¯sh behavior is such a relevant issue. For this purpose, we will consider the Internet. The Internet is probably the most impressive achievement ever in networking: A simplesetofbrilliantengineeringruleshasledtothedeploymentofthemostpervasive network that, in spite of its size (or rather, thanks to it), supports a growing number of services and applications. At the core of these rules stands of course the principle of universal connectivity. Unfortunately, the Internet is plagued by several major problems, fuelled by this veryprinciple. Virusesandspamhavebecomeadailyissueformostusersaroundthe world, many people fall prey to phishing attacks, and denial of service (DoS) attacks are routinely perpetrated against the servers of major corporations. An additional problem is that some network providers tend to establish walled gardens, by which they o®er speci¯c capabilities exclusively to their customers. Finally, some providers aretemptedtointerconnecttheirnetworkinawaythatisbene¯cialtothemselves,but canbedetrimentaltotherestofthecommunity210. Thesituationissocriticalthat many prominent specialists, including some of the founding fathers of the Internet, call for a profound revamping of the network 102. Ambitious research projects, funded notably by the NSF and by the European Commission, have adopted a clean slate approach to respond to this challenge. All these problems have a common cause: they are due to human intention, not to technical failures. They also have common implications: They consume other users' time and nerves. They represent a formidable tax on the usage of the network, in terms of ¯rewalls, ¯lters, anti-spam software, anti-DoS systems, and the related workforce in charge of deploying and operating these tools. It is clear that the problem is very complicated. One of the reasons is that most of the vulnerabilities we have mentioned do not revolve exclusively around the commu- nication protocols: They can also be related to the operating system and (especially 34 The security of existing wireless networks for viruses) to the programming techniques and they can depend on human factors. Yet, in this book we focus as much as possible on the issues primarily related to networking. Another reason for this complexity is that it is extremely di±cult to anticipate the kind of misbehavior that will a®ect a network while not yet deployed. In addi- tion, competition encourages rapid deployment of new networking technologies and of new services, thus leaving little time to devise and implement (let alone standard- ize) protection mechanisms. Consequently, very often the protection mechanisms are designed a posteriori and constitute as many patches to the network. This leads to a growing complexity of the deployed systems (and complexity is often detrimental to security). We believe that the widespread adoption of upcoming wireless networks creates even more formidable challenges in terms of misbehavior prevention. As malice and sel¯shnessarethecoreproblemsaddressedinthisbook,wemakeadistinctionbetween these two kinds of misbehavior: malice aims at doing harm to known or unknown individuals or organizations, whereas sel¯shness consists in overusing the network resources (possibly at the expense of the other users). With this terminology, a virus designer is malicious, whereas a spammer is sel¯sh. We will re¯ne these concepts in Chapter 3. Having discussed the lessons that can be drawn from the Internet, we will now see the peculiarities of wireless networks that are relevant to malice and sel¯shness. We will ¯rst discuss existing wireless networks, leaving the treatment of upcoming wireless networks to the next chapter. 1.1 Vulnerabilities of wireless networks Existing wireless networks are primarily personal communication networks, meaning that the end systems are used by human beings to communicate either with other human beings or with servers. In the next chapter, we will see that some of the up- coming wireless networks have a di®erent purpose, in the sense that communications, in a growing number of cases, will not involve human beings. As we will see, this has profound implications in terms of how these networks need to be protected. The most obvious characteristic of wireless networks is that communication takes place over a wireless channel (which is usually a radio channel, but can also be an infrared channel). Such a channel su®ers from a number of vulnerabilities, mentioned hereafter. ² The channel can be eavesdropped: By placing an antenna at an appropriate location, an attacker can overhear the information that the victim transmits or receives. Eavesdropping is often used to carry out attacks, notably passive attacks.1.1 Introduction to wireless networks 5 Passive attacks consist in listening to the network and analyzing the captured data without interacting with the network. Such an attack can be illustrated with the weakness of WEP (described later in this chapter). Usually, the protection against such misdeeds is achieved by encrypting that information. ² The data can be altered: an attacker can try to modify the content of the mes- sage exchanged between (wireless) parties. These attacks are called active attacks. We will see later several cases of active attacks such as man-in-the-middle attacks perpetrated on GSM. ² Theabsenceofwiredlinkmakesiteasiertocheatonidentities: Beinguntethered, the attacker can more easily impersonate a legitimate user. ² The radio channel can be overused: The radio spectrum being a shared resource, thereisariskthatawirelessoperatororausermakesanexcessiveuseofit. Tosolve the problem between cellular operators, the solution consists in allocating to each of them a licensed piece of the spectrum; but it can happen that several operators have to share the same spectrum, as it is the case today in WiFi. The problem of overuse by mobile users has not been an issue in cellular networks, because the bit rates were upper-bounded by the protocols, under the supervision of the base stations; but it can be an issue in WiFi because the stations can be programmed in a sel¯sh way. We will come back to this problem in Chapter 9. ² The channel can be jammed, notably in order to perpetrate a DoS attack: By transmitting at the same time the victim transmits or receives data, an attacker can make it impossible for the victim to communicate. This problem has been studied in detail over the last decades. Typical solutions include spread spectrum andfrequencyhopping(andveryoftenacombinationofthetwo). Wewillnotfocus on anti-jamming techniques in this book, as they are more related to the physical layer; yet, in Chapter 9 we will see that the threat of jamming can actually thwart sel¯sh behavior. 1 A second characteristic is that the users are usually mobile , which has several implications. ² Astheuserroveswithhermobiledevice, thedevicebecomesawaytopermanently 2 trace her whereabouts, hence jeopardizing her privacy. We will devote a full chapter to this crucial topic of privacy; In Section 1.3, we will see how this problem is (very partially) solved in existing wireless networks. 1 The term \mobile" can designate a terminal that either communicates, moves, and then commu- nicates again, or that communicates while moving (achieving the latter is of course technically more challenging). The precise meaning of this adjective will depend on the context in which it is used. 2 The passive attacks mentioned above can be mounted against another component of privacy, namely the privacy of data.6 The security of existing wireless networks ² Mobility also means that a given device must be able to roam across wireless networks controlled by di®erent operators. This requires that appropriate roaming agreements are made between operators, notably to de¯ne the pricing and billing policies. ² Tobemobilethedevicemustbesmall,meaningthatithaslimitedstorage,com- puting power, and energy. The last of these limitations is the most signi¯cant, as technological progress on batteries is much slower than on electronics. Usually, the problem is solved by minimizing the number of computational operations to be performed by the mobile station. This can however lead to poor engineering of the security protocols. ² A mobile station can easily be stolen, with the risk that it is misused or reverse engineered and that the data that it contains are accessed. The solution to this problem typically consists in encrypting the data it contains and embedding a tamper-resistant component in order to protect the cryptographic keys. 1.2 Security requirements Based on the characteristics that we have just described, we are now in a position to discuss the requirements usually expected to be met by secure systems. This will help us to better understand how (and to what extent) they are ful¯lled in existing wireless networks. ² The most obvious requirement isauthentication: For example, an operator must be able to know who is trying to obtain connectivity through his network; likewise, the user wants to make sure that he is indeed connected to the wireless operator she chooses. Hence, authentication is a fundamental mechanism to support access control. ² Accesscontrolistheabilityofanorganization(e.g., anetworkoperator)togrant appropriate access to resources (connectivity, data,...) based on the user's identity and the organization's policy. ² We have mentioned that the radio channel is particularly vulnerable to eavesdrop- ping. Hence, con¯dentiality of the exchanged information is also an important requirement. ² As the radio channel is also highly vulnerable to active attacks, the integrity of data must be appropriately protected. The data to be protected are not only the users' data, but also the data related to the control of the network. ² Another requirement we have already mentioned, is privacy. The network should notrevealthelocationoftheuser, northepartywithwhichshecommunicates(yet it is generally admitted that law enforcement agencies must have access to these two families of information, at least under some well-de¯ned conditions).1.3 How existing wireless networks are secured 7 ² Non-repudiation is also an important requirement: for example, it should not be possible for a user, who has made use of a given service provided by a given operator, to pretend that she did not. In other words, it must be possible for an operator to prove that a given user really made use of the service that it provides, typically in case of a billing dispute. ² Last but not least, the network must provide a certain level of availability. This meansinparticularthatitshouldprovidehigherprioritytoveryimportantcommu- nications, such as an emergency call from a cellular phone; it should also guarantee a fair share of the radio resource to mobile users located in the same radio domain. 1.3 How existing wireless networks are secured Letusnowexaminehowthesecurityrequirementslistedabovearesatis¯edornot in existing wireless networks. The examples that we will consider here cover a wide range of network types beginning from wide area wireless networks and ending with personalareanetworks. Morespeci¯cally,webrie°ydescribehowsecurityisprovided in cellular networks, in WiFi LANs, and in Bluetooth. We do not intend to give a very detailed description of the security architectures of these systems; instead, and in line with the spirit of this book, we describe only the principles underlying those security architectures. 1.3.1 Cellular networks Cellular networks have been deployed at a lively pace in the last decade, and are proliferating throughout the world. Today, cellular networks are so popular that in many countries, the number of mobile subscribers already exceeds the number of ¯xedtelephonelines. Originally,cellularnetworksprovidedonlyvoicecommunication services and they could also be used to send and receive short text messages. Today, the range of applications is much wider, including data communications, Internet access, multimedia applications (e.g., video telephony), and mobile payment services, just to name a few. For political and historical reasons, cellular networks in di®erent parts of the world are based on di®erent standards. In this subsection, we focus on the European ini- tiatives: GSM (Global System for Mobile Communications) and UMTS (Universal Mobile Telecommunications System). We note, however, that the principles are sim- ilar in other cellular networks (notably in the US, in China, and in Japan). Cellular networks are infrastructure-based networks. The infrastructure consists of base stations and a wired backbone network that connects the base stations together, aswellastothewiredtelephonesystemandtotheInternet. Eachbasestationserves8 The security of existing wireless networks only a limited physical area, called a cell, hence the name cellular. However, all the base stations of a given network operator together can cover a large area (typically a whole country in Europe). In addition, by connecting their backbones together and setting up appropriate roaming agreements, di®erent network operators can jointly provide ubiquitous coverage and enable continent wide and ever worldwide mobility for users. The terminal equipment in cellular networks is typically a mobile phone. Mobile phonesinagivencellarelogicallyconnectedtothebasestationofthecellviawireless channels. They can initiate and receive calls to and from other mobile phones and ¯xed telephones via the base station (and the backbone infrastructure). In fact, the only wireless part in the system is the link between the mobile phone and the base 3 station; the rest is a wired network. Setting up and running a cellular network is very expensive. A large share of the costs stems from the fact that cellular networks operate in licensed bands, meaning that the network operator must pay a licence fee for the use of the spectrum. The other part of the costs can be attributed to installing the base stations and deploying the backbone network, as well as to setting up the billing and the customer care infrastructure. At the end of the day, these costs are borne by the subscribers, who mustpayfortheservices(includingtheaccesstothenetwork)providedbythenetwork operator. GSM GSM is a prominent example of cellular networks and we will now describe its se- curity. From what we have just described, the main security requirement of GSM (at least from the operators' point of view) is subscriber authentication. Subscriber authentication is needed in order to support billing (i.e., to identify who must be 4 charged for using the network). In addition to subscriber authentication, GSM also provides some countermeasures for the inherent weaknesses of the wireless channel. More speci¯cally, GSM provides con¯dentiality for voice communications and sig- nalling over the wireless interface, and it protects the privacy of the subscribers by hiding their identity from eavesdroppers. Being a wide area system, GSM supports the roaming of subscribers across networks operated by di®erent network operators. This means that the above mentioned GSM security services operate in a multi-party environment. A fundamental assumption in the GSM security architecture is that there exists a long-term contractual relationship between a subscriber and a network operator; the 3 Base stations can also be connected to the backbone infrastructure via wireless links. However, those links are static and can be easily secured by the network operator. 4 This guarantees only a weak form of non-repudiation, because a malicious operator could forge faked evidence of communications.1.3 How existing wireless networks are secured 9 latter is called the home network operator of the given subscriber. When setting up thisrelationship,thehomenetworkoperatorveri¯estheidentityofthesubscriber,and obtainsfurtherinformationabouther, includingthebillingaddress. Thiscontractual relationship is represented by a long-term secret key that is shared by the subscriber and the home network operator, and serves as the basis for the authentication of the subscriber. In GSM, the secret key and other identity related information of the subscriber are not stored in the mobile phone, but in a separate security unit, called the SIM (Subscriber Identity Module). The SIM is implemented as a smart card with a small form factor, which can be inserted in and removed from the mobile phone. In e®ect, the key could have been stored in the non-volatile memory of the mobile phone itself, encrypted with a password. However, storing the key in a removable module has proved to be an excellent design choice, because it allows for the portability of the subscriber identity across di®erent devices: The subscriber can remove the SIM from one mobile phone, insert it into another (e.g., when she buys a new device), and she still has the same phone number and receives a single bill. SubscriberauthenticationinGSMisbasedontheso-calledchallenge-responseprin- ciple. The subscriber receives an unpredictable random number as a challenge, and she must compute a correct response in order to be authenticated. The correct re- sponseiscomputedfromthechallengeandthelong-termsecretkeyofthesubscriber. As the secret key is known exclusively to the subscriber and to the home network operator, no one else can compute the correct response. Thus, if the network opera- tor receives the correct response, it believes that the response was produced by the subscriber; hence, she must be present. The unpredictability of the challenge ensures the freshness of the response: The network operator knows that the response must have been computed after it sent the challenge, because no one (not even the sub- scriber)couldpredictwhatthechallengewouldbe. Clearly, thecomputationsneeded for authentication are not performed by the subscriber herself, but they are carried out by her mobile phone and the SIM without any user intervention. We will now describe the steps of the GSM subscriber authentication protocol. For the sake of generality, we assume that the subscriber roams into a foreign network, usually referred to as the visited network. As the ¯rst step, the mobile phone reads the IMSI (International Mobile Subscriber Identity) from the SIM, and sends it to the visited network. Based on the IMSI, the visited network determines the identity of the home network of the subscriber. Then, the visited network forwards the IMSI to the home network via the backbone. The home network looks up the secret key K that corresponds to the subscriber identi¯ed by the IMSI. It then creates a triplet (RAND;SRES;CK), where RAND is an unpredictable random number used as the challenge, SRES is the correct response to the challenge, and CK is a key to be used for encrypting communications over the wireless interface between the mobile phone10 The security of existing wireless networks andthebasestationofthevisitednetwork. RAND isgeneratedbyaPseudo-Random Number Generator (PRNG). SRES and CK are computed from RAND and K using the algorithms denoted by A3 and A8, respectively, in the GSM speci¯cations. The triplet(RAND;SRES;CK)issenttothevisitednetwork,whichchallengesthemobile phone with RAND. The mobile phone passes RAND to the SIM, which computes 0 0 and outputs the response SRES and the encryption key CK . The mobile phone 0 0 sends SRES to the visited network, which compares it to SRES. If SRES =SRES, 0 then the subscriber is authenticated. In this case CK = CK also holds. After the successful authentication of the subscriber, the communications between the mobile phone and the base station of the visited network are encrypted and decrypted with CK by using the stream cipher denoted by A5 in the GSM speci¯cations. The steps of the protocol are summarized in Figure 1.1. mobile phone visited home + SIM card network network IMSI PRNG IMSI RAND K RAND K (RAND, SRES, CK) A3 A8 RAND SRES' A8 A3 RAND SRES CK ? SRES' CK' SRES = SRES' Fig. 1.1. Illustration of the GSM authentication protocol Note that the protocol ensures that the visited network can authenticate the sub- scriberwithoutpossessingthesubscriber'slong-termsecretkey. Thisisachievedwith the help of the home network that provides a matching challenge-response pair to the visited network as part of the triplet. Similarly, the establishment of the encryption key between the mobile phone and the base station of the visited network is carried out with the help of the home network and the triplet mechanism. This requires some trust in the home network operator by the visited network operator, which is established by signing roaming agreements between the two operators. In practice, the home network can transfer several triplets to the visited network when the sub- scriber ¯rst authenticates herself (e.g., when she switches on her phone). In this way,1.3 How existing wireless networks are secured 11 there is no need to contact the home network every time the subscriber needs to be authenticated. Theidentityofthesubscriberishiddenfromeavesdroppersonthewirelessinterface as follows. After each successful authentication, the subscriber receives a temporary identi¯er called TMSI (Temporary Mobile Subscriber Identi¯er) from the visited net- work. The TMSI is encrypted with the freshly established key CK, therefore, it cannot be eavesdropped. In the next authentication request, the mobile phone uses theTMSI,insteadoftheIMSI,toidentifythesubscriber. TheTMSIismappedtothe IMSI by the visited network, and then the protocol proceeds as we described above. Whenthesubscribermovesintoanothervisitednetwork, thenewnetworkcontacts thepreviousoneandsendsittheTMSIreceivedfromthemobilephone. Theprevious network looks up the data associated with the TMSI and transfers the IMSI of the subscriber and the remaining triplets (if any) to the new network, so that the new network can continue serving the subscriber. It can happen that the data associated with the TMSI are no longer available in the previous network (e.g., if the mobile phone has been switched o® for a long time). In this case, the new network requests the mobile phone to send the IMSI in order to bootstrap the TMSI mechanism again. To summarize, the GSM security architecture provides the following security ser- vices: ² Subscriber authentication isbasedonachallenge-responseprotocolandalong-term secret key shared by the subscriber and the home network operator. Data needed to authenticate the subscriber is transferred from the home network to the visited network in form of triplets, such that the long-term secret key is not revealed to the visited network. ² Con¯dentiality of communications and signalling over the wireless interface is en- sured by encryption with a session key established between the subscriber's mobile phone and the base station of the visited network, during the subscriber authenti- cation procedure, with the help of the home network operator. ² Protection of the subscriber's identity from eavesdroppers on the wireless interface is ensured by using short-term temporary identi¯ers instead of the real identi¯er of the subscriber during subscriber authentication. In some cases, the real identi¯er must be used; however, this happens rarely, and so it is di±cult for eavesdroppers to track subscribers. UMTS The GSM security architecture provides a reasonable level of protection, but it has somede¯ciencies;hencethedesignofanewsecurityarchitectureforUMTS,theThird Generation cellular network in Europe.12 The security of existing wireless networks One main problem with the GSM security architecture is that it provides only uni- lateral authentication, where the subscriber is authenticated and the visited network operator is not. This means that someone can set up a fake base station and imple- ment a man-in-the-middle attack. This probably seemed to be too far fetched in the 80's when GSM was designed. But today, there are commercially available devices, called \IMSI catchers", that were originally intended for protocol testing purposes, but can also be used (or misused) to implement a fake base station attack. The fake base station issue is further aggravated by the fact that GSM authenti- cation triplets can be re-used inde¯nitely. Indeed, the subscriber cannot verify the freshness of the challenge that she receives in the subscriber authentication protocol. Thus, a fake base station can coerce the subscriber's mobile phone to re-establish an old, possibly compromised, encryption key with the fake base station. Another problem is that the GSM security architecture does not provide integrity protection services for communications and signalling over the wireless interface. Al- though it is true that modifying messages on-the-°y in a wireless channel is quite challenging (if not impossible in practice), if the communication between the mobile phone and the visited network takes place through a fake base station, then the at- tacker does not need to carry out the modi¯cations in the wireless channel, but it can implement the attack within the fake base station. In addition, as a stream cipher is used for encryption, the attacker can easily manipulate individual bits in encrypted messages without decrypting them. Of course, if the messages carry parts of a voice communication, then the attacker can only achieve some distortion, but it is very unlikely that it can alter the true content of the communication in an unnoticeable way. It can still, however, attack the signalling information. Moreover, besides voice communications, cellular networks are increasingly used for data communications, where °ipping a single bit in a message can have devastating consequences. Additional reasons for a new design include the short length of the encryption key (practically 54 bits only), and the weaknesses discovered in the commonly used implementation of the A3 and A8 algorithms, which, under speci¯c conditions, allow an attacker to compromise the long-term secret key of the subscriber and clone her SIM card 67. The UMTS security architecture addresses the weaknesses listed above. The de- sign approach was to keep the general principles of the GSM security architecture, and to extend it with the necessary mechanisms for authenticating the network to the subscriber and providing integrity protection over the wireless interface. For this reason, the GSM triplets are replaced by authentication vectors that have ¯ve elements: (RAND;XRES;CK;IK;AUTN). As before, RAND is an unpredictable random number, generated by a PRNG, and used as a challenge in the subscriber authentication protocol, XRES is the expected response to RAND, and CK is an en- cryption key to be used between the mobile phone and the base station of the visited1.3 How existing wireless networks are secured 13 network. Both XRES and CK are computed from RAND and the long-term secret key K of the subscriber. In addition, IK is an integrity protection key and AUTN is a token that authenticates the home network to the subscriber and proves the fresh- ness of RAND. AUTN consists of three ¯elds: AUTN =(SQN©AK;AMF;MAC), where ² SQN is a sequence number maintained synchronously by both the subscriber and the home network; ² AK is called the anonymity key, and it is used to hide the value of SQN from eavesdroppers. AK is generated from RAND and K; ² AMF is an authentication and key management ¯eld used to pass parameters from the home network to the subscriber, but it is not fully speci¯ed in the UMTS standard; ² MAC is a message authentication code computed over RAND, SQN, and AMF using the long-term key K. The construction of AUTN and the authentication vector is illustrated in Figure 1.2. Functions f , f , f , f , and f are appropriate one-way functions de¯ned in the 1 2 3 4 5 UMTS standard. PRNG K SQN AMF RAND f2 f3 f4 f5 f1 AK SQN⊕AK AMF MAC RAND XRES CK IK AUTN Fig. 1.2. Construction of AUTN and the authentication vector in UMTS The subscriber authentication protocol is modi¯ed in such a way that, upon re- quest, the visited network receives an authentication vector from the home network14 The security of existing wireless networks anditpassesnotonlythechallengeRAND tothesubscriber,butalsotheauthentica- tiontokenAUTN. Thesubscriber¯rstgeneratestheanonymitykey AK anddecodes the sequence number SQN received in AUTN. SQN is encoded with AK to protect the privacy of the subscriber. Otherwise, an eavesdropper could associate di®erent executions of the authentication protocol with consecutive sequence numbers to the same subscriber. Once SQN is obtained, the subscriber veri¯es the MAC. If this veri¯cation is successful, then she knows that RAND originates from her home net- work. Then, the subscriber veri¯es if SQN is greater than the last sequence number stored by the subscriber. If this does not hold, then the protocol fails. This prevents the subscriber from accepting an old challenge. Finally, the subscriber computes a response RES to RAND and sends it back to the visited network. The subscriber also computes CK and IK. Naturally, these computations are not performed by the subscriber herself, but her mobile phone and its security unit, which in this case is called USIM. The visited network compares RES to XRES, and if they are equal, then the authentication of the subscriber succeeds. After that, the mobile phone and the base station of the visited network protect the integrity and the con¯dentiality of their communications with IK and CK, respectively. ThereisoneweaknessintheUMTSsubscriberauthenticationprotocol,identi¯edin 396: thevisitednetworkisnotauthenticatedtothesubscriber. Althoughthevisited networkcan authenticate itselfto the homenetwork, the homenetworkdoes notpass any con¯rmation regarding the identity of the visited network to the subscriber in the authentication token AUTN. This allows a malicious network operator X to masquerade as network Y to the subscriber. It would still authenticate itself as X to thehomenetwork,butthesubscriberwouldnotknowthis,andshewouldbelievethat sheisservedbyY. Thiscanbeaproblem, as X andY couldusedi®erenttari®s, and the subscriber would learn that she actually used a more expensive network when she receives her bill at the end of the month. One solution to this problem is to include the identi¯er of the visited network in the AMF ¯eld of AUTN. 1.3.2 WiFi LANs Security has always been considered an important issue in WiFi networks. Conse- quently, early versions of the IEEE 802.11 wireless LAN standard 188 already fea- tured a security architecture, called WEP (Wired Equivalent Privacy). As its name indicates, the objective of WEP is to render wireless LANs at least as secure as wired LANs (without particular security extensions). For instance, if an attacker wants to connect to a wired Ethernet network, she needs physical access to the Ethernet hub. However, this is usually made di±cult by placing the hub in a locked room. In case of an unprotected wireless LAN, the attacker has an easier job because she does not1.3 How existing wireless networks are secured 15 need to have physical access to any equipment in order to connect to the network. WEP is intended to transform this easy job into a di±cult one. More precisely, WEP is intended to increase the level of di±culty of attacking wireless LANs such that it becomes comparable to the di±culty of attacking wired LANs (e.g., breaking into locked rooms). Unfortunately, WEP did not make attacks as di±cult as its designers hoped. This would not have been a problem if the weaknesses had been discovered in due time. But things happened di®erently: WEP was already deployed when cryptographers andsecurityexpertsdiscoveredits°aws. ItbecameevidentthatWEPdidnotprovide adequate protection. Soon after this discovery, tools that automate the cracking of WEP keys appeared on the Web. In response to these developments, the IEEE came up with a new security archi- tecture for wireless LANs, described in an extension to the 802.11 standard. This extension is called IEEE 802.11i. In this subsection, we discuss both WEP and IEEE 802.11i. The reason for discussing 802.11i is clear: this is the current approach to protect WiFi LANs. We discuss WEP because, despite its known weaknesses, many systems still support it (for backward compatibility), and thus probably many people andorganizationsstilluseit. Also,thedesign°awsinWEPillustratemanysubtleties in security protocol design that are interesting in general. WEP There are two basic security problems in wireless LANs: First, due to the broadcast nature of radio communications, wireless transmissions can be easily eavesdropped. Second, and more important, connecting to the network does not require physical accessto thenetworkAccessPoint(AP),thusanydevicecan trytoillegitimately use the services provided by the network. WEP attempts to solve the ¯rst problem by encryptingmessages. Thesecondproblemisaddressedbyrequiringtheauthentication of the mobile stations (STAs) before allowing their connection to the network. The authentication of the STA is based on a simple challenge-response protocol, similar to that used in GSM systems. Once authenticated, the STA communicates with the AP by encrypted messages. The key used for encryption is the same as the one used for authentication. The encryption algorithm speci¯ed by WEP is based on the RC4 stream cipher (for the description of the operation of RC4 see e.g., page 397398 of 340). Stream ciphers produce a long pseudo-random byte sequence out of a short secret seed value; this pseudo-random sequence is then XORed to the clear message (byte by byte) in order to generate the encrypted message. WEP works in the same way. The sender (the STA or the AP) of a message M initializes the RC4 algorithm with the secret key and XORs the pseudo-random sequence K produced by RC4 to M. The receiver of the encrypted message M ©K uses the same secret key to initialize the RC4 algorithm that will then produce the same pseudo-random16 The security of existing wireless networks sequenceK. ThenK isXORedtotheencryptedmessagetoobtaintheclearmessage: (M©K)©K =M. But the description above is not precise enough: There is one more thing that WEPdoeswhenencryptingmessages. Itiseasytoseethatifencryptionworkedaswe describedinthepreviousparagraph,theneverymessagewouldbeencryptedwiththe samepseudo-randomsequenceK,asRC4isinitializedwiththesamesecretkeybefore encrypting every message. This would be bad for several reasons. Let us assume, for instance,thatanattackereavesdropstwoencryptedmessagesM ©K andM ©K. By 1 2 XORingthesetwomessagestogether,shegets(M ©K)©(M ©K)=M ©M . This 1 2 1 2 is equivalent to one message being encrypted with the other, but clear messages are far from being pseudo-random sequences. Thus, M ©M is a very weak encryption, 1 2 and the attacker is likely to be able to break it using the statistical properties of the 5 clear messages. In order to address this problem, WEP appends an IV (Initialization Vector) to the secret key before initializing the RC4 algorithm, where the IV changes for every message. This ensures that the RC4 algorithm produces a di®erent pseudo-random sequence for every message. The receiver should also know the IV in order to be able to decrypt the messages received. For this reason, the IV is sent in clear together with the encrypted message. In principle, this is not a problem, as the knowledge of the IV is not enough to decrypt the message: the secret key is also needed for the proper initialization of the RC4 algorithm. As for the sizes, we note that the IV is 24 6 bits long and the secret key is usually 104 bits long , although some vendors provide products that allow for longer keys. Figure 1.3 illustrates the WEP encryption and decryption procedure. Figure1.3alsoshowsthatbeforeencryption, thesenderattachesanintegritycheck value(ICV)totheclearmessage. Thepurposeofthisvalueistoenablethereceiverto detectanymaliciousmodi¯cationsofthemessagebyanattacker. InthecaseofWEP, theICVisaCRCvaluecomputedfortheclearmessage. AsaCRCvaluealonecannot enablethedetectionofmaliciousmodi¯cations(becausetheattackercancomputethe new CRC value for the modi¯ed message), the CRC value is also encrypted in WEP. The rationale is that in order to modify the message in an unnoticeable way, now the attacker must encrypt the new CRC value, but she cannot do this without the knowledge of the secret key. This reasoning is not quite solid, as we will see below. WemustalsomentionhowkeysarehandledinWEP.Thestandardstatesthateach STA has its own key, known only to that STA and the AP. However, this makes key 5 It is also possible that the attacker (partially) knows the content of one of the messages (e.g., the value of the header ¯elds), in which case she can easily compute the (partial) content of the other message. 6 Invarious marketing materials, thisis interpretedas \128-bit security". This is of course mislead- ing (as marketing materials in general), because out of 128 bits, 24 bits are transferred in clear, hence known by the attacker.1.3 How existing wireless networks are secured 17 message + ICV secret key RC4 IV encrypt message + ICV IV decrypt secret key RC4 IV message + ICV Fig. 1.3. Encryption and decryption in WEP management on the AP's side complicated, since the AP must store a key for every STA.Forthisreason, mostimplementationsdonotactuallysupportthisoption. The standard also speci¯es a default key, known to every STA and the AP. Originally, this key was intended to be used for the encryption of broadcast messages originated by the AP. But most WEP implementations support only this default key. Hence, in practice, in most wireless LANs there is a single common key. This key is installed in everymobiledeviceandintheAPmanually. Clearly,thissolutioncanonlybeusedto protect the communications from an outside attacker, but the devices that belong to the network can (in principle) decrypt each other's messages (and impersonate each other). As it will be clear from the brief overview below, WEP does not actually achieve anyofitsoriginaldesigngoals. Thediscovered°awsareinstructive;theydemonstrate the many pitfalls of security protocol design. ² Authentication: Authentication in WEP has several problems. First of all, au- thentication is not mutual, meaning that the AP does not authenticate itself to the STA.Second,theauthenticationandtheencryptionmechanismusethesamesecret key. This is not desirable, as an attacker can exploit the weaknesses of both the authenticationandtheencryptionmethodtobreakthesecretkey. Havingdi®erent keys for di®erent functions is a better security engineering practice. ThethirdproblemisthattheSTAisauthenticatedonlyatthetimewhenittries to connect to the network. Once the STA is associated with the AP, anyone can18 The security of existing wireless networks 7 sendmessagesinthenameofthatSTAbyspoo¯ngitsMAC address. Apparently, this is not a real problem, because the attacker does not know the secret key that is needed to construct well-formed encrypted messages. Hence, the attacker's messages are dropped by the AP anyway. But as we mentioned before, often each STAuses the same secret key. This means that the attacker can fabricate messages in the name of one STA by using encrypted messages of another STA recorded earlier. This is not detected by the AP. The fourth problem stems from the fact that WEP uses RC4 in the authenti- cation protocol for encrypting the random challenge. Thus, an attacker can easily obtain the challenge C and the encrypted challenge R = C ©K by overhearing the exchange, and from these, she can compute the pseudo-random sequence K. However, knowledge of K allows the attacker to impersonate the STA later on, as 0 0 0 she can now compute the response R = C ©K for any other challenge C . The IV mechanism of WEP does not mitigate this problem, since the IV is selected by the sender of the encrypted message; in our case, the sender is the attacker, who will always select the IV that was appended to R. Moreover, as in practice, every STA uses the same key, the attacker can connect to the network in the name of any STA. Obviously, a successful association with the AP is only the ¯rst part of the attack; in order to send and receive messages in the name of a legitimate STA, the attacker needs to know the secret key. However, other °aws in WEP described below allow the attacker to retrieve the secret key. ² Integrity protection: The integrity protection of WEP messages is based on at- taching an ICV to the message, where the ICV is a CRC value computed for the message and encrypted with the secret key. Formally, the encrypted message can be written as (MjjCRC(M))©K, where M is the clear message, K is the pseudo- random sequence produced by the RC4 algorithm from the IV and the secret key, CRC(:) denotes the CRC function, and jj denotes concatenation. It is well known that the CRC function is linear with respect to the XOR operation, which means that CRC(X©Y)=CRC(X)©CRC(Y). Based on this observation, an attacker canmanipulateprotectedWEPmessagesby°ippinganyoftheirbitsunnoticeably, although she does not get access to the contents of the messages. Let us denote the changesthattheattackerwantstomakeinthemessageby¢M. Thentheattacker wantstoobtain((M©¢M)jjCRC(M©¢M))©K fromtheoriginalprotectedmes- sage (MjjCRC(M))©K that she eavesdropped. For this purpose, it is su±cient to compute CRC(¢M), and then to XOR ¢MjjCRC(¢M) to the original protected 7 When followed by \address", \protocol", or \layer", \MAC" means Medium Access Control, and not Message Authentication Code.1.3 How existing wireless networks are secured 19 message. The following derivation shows why this works: ((MjjCRC(M))©K)©(¢MjjCRC(¢M)) = ((M©¢M)jj(CRC(M)©CRC(¢M)))©K = ((M©¢M)jjCRC(M©¢M))©K where in the last step we used the linearity of the CRC function. Since CRC(¢M) can be computed without the secret key, the attacker can succeed despite the en- cryption and the ICV mechanism. Another related integrity requirement is the detection of replayed messages. Un- fortunately, WEP does not use any replay detection mechanism, therefore, an at- tacker can replay any previously recorded message that will be accepted by the AP. ² Con¯dentiality: As we said before, when using a stream cipher, it is essential that each message is encrypted with a di®erent pseudo-random sequence. In WEP, this is ensured by the IV mechanism, but this has some problems too. The origin of the problem is that the IV is only 24 bits long, which means that there are only approximately 17 million possible IV values. A WiFi device can transmit approximately 500 full-length frames in a second, thus, the whole IV space is used up in a few hours. Once all IVs have been used, they start to repeat, and repeating IVs mean repeating pseudo-random sequences used for encryption. The problem is aggravated by the fact that in many networks, there is a single secret key used by everydevicewithpotentiallydi®erentIVs. HencetheIVspacewillbeusedupeven faster. Another practical problem is that in many WEP implementations, the IV is initialized with 0 at startup, and then incremented by one after each message sent. This means that if there are several devices switched on nearly at the same time, thentheyallusethesamesequenceofIVs; iftheyusethesamesecretkeytoo,then the pseudo-random sequences used for encryption will be the same. In this case, theattackerwouldnotevenneedtowait,butitwouldgetmessagesencryptedwith the same pseudo-random sequence immediately. The total collapse of WEP is caused by the inappropriate use of the RC4 cipher. It is known that there exist so-called weak RC4 keys 142. A weak key is a seed valuefromwhichtheRC4algorithmproducesanoutputthatdoesnotlookrandom. More precisely, when a weak key is used to seed RC4, one can infer the bits of the seed from the ¯rst few bytes produced by the algorithm. For this reason, security experts suggest always throwing away the ¯rst 256 bytes of the RC4 output. This simplesolutionwouldhavesolvedtheproblemofweakkeys,butWEPdidnotadopt it. Also, due to the ever changing IV value (which is part of the seed), a weak key canbeencounteredsoonerorlater,andtheattackercaneasilyknowthataweakkey is being used, because the IV is transmitted in clear. Based on these observations,20 The security of existing wireless networks some cryptographers constructed a method that breaks the full 104-bit secret key by eavesdropping on only a few hundred thousands messages. Compared to the previously described °aws, this one is the far most serious, because it allows the attacker to crack the secret key itself: And once she has the secret key, she can do everything. Moreover, the attack is not only powerful, but easy to automate, and thanks to some \helpful" people, automated attacking tools are readily available on the Web for public use (e.g., Aircrack, Weplab). IEEE 802.11i When the °aws in WEP became apparent, the IEEE began to develop a new security architecture for WiFi networks, described in the 802.11i speci¯cation 190. The new conceptiscalledRSN(RobustSecurityNetwork)inordertodistinguishitfromWEP. RSNwasdesignedmorecarefullythanWEP.Itincludesanewmethodforauthentica- tion and access control, which is based on the model de¯ned in the 802.1X standard. The mechanisms for integrity protection and con¯dentiality are also changed, and they use the AES (Advanced Encryption Standard) 5 cipher instead of RC4. However, it is not possible to switch from WEP to RSN overnight. The reason is thatfore±ciencyreasons,manyWiFidevices(mainlyWLANadaptercards)support the encryption algorithm in their hardware. Thus, old devices support RC4 and not AES.Thisproblemcannotbesolvedbyasimple¯rmwareupdate;thehardwareneeds to be changed, which slows the deployment of RSN. This has been recognized by the IEEE too, and they included an optional protocol in the 802.11i speci¯cation, which still uses the RC4 cipher but ¯xes the °aws in WEP. This protocol is called TKIP (Temporal Key Integrity Protocol). Manufacturers immediately adopted TKIP, as it provides a solution to the prob- lems of WEP, and it can be deployed immediately without changing the hardware. They did not wait until the 802.11i architecture was ¯nalized by the lengthy stan- dardization procedure, but they issued their own speci¯cation, called WPA (WiFi Protected Access), based on TKIP. In other words, WPA is a speci¯cation supported by WiFi manufacturers, and it contains a subset of RSN that can also run on old devices that support only the RC4 cipher. Authentication and access control, as well as key management, are the same in WPA and in RSN. The di®erence between the two concepts lies in the mechanisms used for integrity protection and con¯dentiality. We must also mention that RSN is also called WPA2 by many manufacturers. Below, we ¯rst give an overview of the authentication, access control, and key management procedures of 802.11i. Then, we brie°y summarize the operation of TKIP (used in WPA) and AES-CCMP (used in RSN).1.3 How existing wireless networks are secured 21 Authentication and access control: The model of authentication and access con- trol in 802.11i was borrowed from the 802.1X standard 189. IEEE 802.1X was originally intended for wired LANs, but it turned out that the same concepts can be used in wireless LANs too (with a few extensions). The 802.1X model distinguishes three entities in the authentication procedure: the supplicant, theauthenticator, andtheauthenticationserver. Thesupplicantwantsto access the network, and for this reason, it wants to authenticate itself. The authenti- cator controls access to the network. In the model, this is represented by controlling the state of a port. The default state of the port is \closed", which means that data tra±c is disabled. The authenticator can \open" the port if this is authorized by the authentication server. Actually, the supplicant authenticates itself to the authenti- cation server, and if this authentication is successful, then the authentication server grants access to the network by instructing the authenticator to open the port. In the case of WiFi networks, the supplicant is the mobile device and the authen- ticator is the AP. The authentication server is a process that can run on the AP in the case of smaller networks, or on a dedicated server machine in the case of larger networks. In WiFi, the port is not a physical connector, but a logical control imple- mented in software running on the AP. In a wired LAN, a device authenticates itself once, when it is physically connected to the network. There is no need for further authentication (at least for network access control purposes), because the port used by the device cannot be used by someone else. This would require ¯rst disconnecting the device that currently uses theport, whichwouldbedetectedbythehardwareoftheauthenticator, andtheport would be disabled. The situation is di®erent in WiFi networks, because there is no physicalconnectionbetweentheSTAandtheAP.Hence, oncetheSTAauthenticates itself and associates with the AP, someone else can try to steal its session by spoo¯ng its MAC address. For this reason, 802.11i extends 802.1X with the requirement of setting up a session key between the STA and the AP when the STA ¯rst requests access to the network; this session key can then be used to authenticate any further communications between the STA and the AP. Theauthenticationprocedurein802.11iusesEAP(ExtensibleAuthenticationPro- tocol) 9 to carry the messages that need to be exchanged between the STA and the authenticationserver(seeFigure1.4forillustration). NotethatEAPisonlyacarrier protocol: It does not provide authentication services itself, but it can carry the mes- sagesofanyhigherlayerauthenticationprotocol. Thatiswhyitiscalled\extensible". How the higher layer protocol messages are embedded into EAP messages must be speci¯edforeachandeveryhigherlayerprotocol. Suchspeci¯cationsalreadyexistfor many widely used protocols such as the TLS (Transport Layer Security) Handshake and the GSM authentication protocols. There are four message types in EAP: request, response, success, and failure. EAP

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.