Editor, ACM Transactions on Information and System Security

1
????????

• ???
• ??????????????
• ?????????????
• Editor, ACM Transactions on Information and
  System Security

2
????

• ??? Introduction to Wireless Network Security
• ??? Information Security Management
• ??? Authentication and Watermarking
• ??? Applied Cryptography-- Encryption Algorithm
  and Digital Signature
• ??? Intrusion Detection System, Malicious
  code--Worms, Viruses, and Trojans
• ??? VPN amd Management/Application of PKI

3
Wireless Security

• ???
• ??????????????
• ?????????????
• Editor, ACM Transactions on Information and
  System Security

4
Outline

• Introduction
• GSM
• GPRS
• 3G
• IEEE 802.1x
• Bluetooth
• Mobile IP
• WEP
• RFID
• Wireless Sensor

5
Introduction to Wireless

• Wireless
• Convenient
• Mobility
• Usually limited computation power
• However
• Air media
• Easy to listen

6
Wireless Characteristics Open system
Associate request
Client
Access Point (AP)
Associate response

• allows anyone to begin a conversation with the
  access point, and provides no security whatsoever
  to the client who can talk to the AP

7
Introduction to Security Issues of Wireless
Networks

• Security is major issue
• Different architecture has different security
  vulnerabilities
• We will introduce architecture and security
  vulnerabilities separately

8
GSM
9
Overview

• GSMGlobal System for Mobile Communications
• A digital wireless network standard
• Circuit-switched technology
• FDMA TDMA
• 890-915 MHz for the link

FDMA Frequent Division Multiple Access TDMA
Time Division Multiple Access
10
GSM Network Architecture

•  

MS Mobile Station BTS Base Transceiver
Station BSC Base Station Controller MSC Mobile
Switching Center OMS Operation and Maintenance
System VLR Visited Location Register HLR Home
Location Register AUC Authentication Center EIR
Equipment Identify Register
11
Security Architecture
12
Problems with GSM Security(1/3)

• Active Attacks
• Impersonating network elements such as false BTS
  is possible .
• Key Transmission
• Cipher keys and authentication values are
  transmitted in clear within and between networks.
• Limited Encryption Scope
• Encryption terminated too soon at edge of network
  to BTS
• Communications and signaling in the fixed network
  portion arent protected
• Designed to be only as secure as the fixed
  networks.
• Channel Hijack
• Protection against radio channel hijack relies on
  encryption.
• However, encryption is not used in some networks.

13
Problems with GSM Security (2/3)

• Implicit Data Integrity
• No integrity algorithm provided
• Unilateral Authentication
• Only user authentication to the network is
  provided.
• No means to identify the network to the user.
• Weak Encryption Algorithms
• Key lengths are too short
• Unsecured Terminal
• IMEI is an unsecured identity Integrity
  mechanisms

14
Problems with GSM Security(3/3)

• Lawful Interception Fraud
• Considered as afterthoughts
• Lack of Visibility
• No indication to the user that encryption is on
• Inflexibility
• Inadequate flexibility to upgrade and improve
  security functionality over time

15
3G
16
3G Network Architecture
CircuitNetwork
Circuit/ Signaling Gateway
Mobility Manager
Feature Server(s)
Circuit Switch
IN Services
RNC
Call Agent
Data Packet Voice
Voice
IP Core Network
Radio Access Control
Packet Network (Internet)
Packet Gateway
3G
2G/2.5G
2G
RAN Radio Access Network RNC Radio Network
Controller
17
Problems with 3G Security

• IMSI (International Mobile Subscriber Identify)
  is sent in cleartext when allocating TMSI
  (Temporary Mobile Subscriber Identify) to the
  user
• The transmission of IMEI (International Mobile
  Equipment Number) is not protected
• A user can be enticed to camp on a false BS (Base
  Station).
• Hijacking outgoing/incoming calls in networks
  with disabled encryption is possible.
• Man-in-the-middle and drops the user once the
  call is set-up

18
3G Security Principles

• Build on GSM security
• Correct problems with GSM security
• Add new security features

19
IEEE 802.1x
20
IEEE 802.1X

• A framework for authenticating and controlling
  user traffic to a protected network
• Uses Extensible Authentication Protocol (EAP)
• Provides key management

21
EAP Architecture

• EAP is an envelope that supports many different
  kinds of authentication

Method Layer
TLS
AKA/SIM
PEAP/EAP TTLS
LEAP
EAP APIs

EAP Layer
Driver APIs
Media Layer
PPP
802.3
802.5
802.11
22
EAP Related Methods

• Cisco LEAP
• PEAP
• EAP-TLS
• EAP-TTLS

23
Cisco's Lightweight EAP (LEAP)

• Mutual password authentication between the
  station and AP per session WEP
• Because LEAP's challenge/response isn't
  encrypted, it's vulnerable to offline dictionary
  attacks

24
LEAP authentication process
25
Protected extensible authentication protocol
(PEAP)

• Authentication process
• Establish TLS connection between authentication
  server and user
• Authenticate authentication server
• Authenticate user
• Generate session keys
• There exists risks of man-in-the-middle attack in
  PEAP

26
802.1x vulnerabilities

• Absence of mutual authentication
• One way authentication of supplicant.
• Adversary acting as access point leads to
  Man-in-the-middle attack
• Session hijacking
• Attacker spoofs MAC (Medic Access Control) of AP
  and disassociates client
• Next, it spoofs MAC of client and gains
  connection

27
Bluetooth Security
28
Introduction

• Developed by Bluetooth Special Interest
  Group(SIG)
• The Bluetooth protocol uses a combination of
  circuit and packet switching.
• Form ad hoc networks of several(up to eight)
  devices, called piconets
• Use the radio range of 2.45 GHz, max bandwidth is
  1Mb/s
• Support either asynchronous data channel and up
  to three synchronous speech channels
• provides a point-to-point connection (only two
  Bluetooth units involved), or a
  point-to-multipoint connection,

29
Security Scheme of Bluetooth
30
Generation of Unit Key
(Bluetooth device address)
31
Security VulnerabilityUnit Key Stealing
32
Mobile IP
33
The Need for Mobile IP

• A home link is the link on which a specific node
  should be located that is the link, which has
  been assigned the same network-prefix as the
  nodes IP address
• A foreign link is any link other than a nodes
  home link that is, any link whose
  network-prefix differs from that of the nodes IP
  address
• Mobility is the ability of a node to change its
  point of attachment from one link to another
  while maintaining all existing communications and
  using the same IP address at its new link

34
Mobile IP Entities and Relationships
Mobile Node at home
foreign Link
tunnel
Home Link
Foreign Agent
Home Agent
Mobile Node visiting a foreign link
35
3 functional entities

• Mobile Node (MN) a node which can change its
  point-of-attachment to the Internet from one link
  to another while maintaining any ongoing
  communications and using its (permanent) IP home
  address
• Home Agent (HA) router with an interface on the
  mobile nodes home link, which
• Is informed by the mobile node about its current
  location, represented by its care-of-address
• Intercepts packets destined to the mobile nodes
  home address and tunnels them to the mobile
  nodes current location, i.e. to the
  care-of-address

36
3 functional entities (cont.)

• Foreign Agent (FA) a router on a mobile nodes
  foreign link which
• Assists the mobile node in informing its home
  agent of its current care-of address
• In some cases, provides a care-of address and
  de-tunnels packets for the mobile node that have
  been tunneled by its home agent
• Serves as default router for packets generated by
  the mobile node while connected to this foreign
  link

37
Security Issues

• Insider Attack
• Mobile Node Denial-of-Service
• Replay Attacks
• Theft of Information Passive Eavesdropping
• Theft of Information Session-Stealing (Takeover)
  Attack

38
Wired Equivalent Privacy (WEP)
39
WEP

• WEP Wired Equivalent Privacy
• Protection between AP and MNs (Mobile Nodes)
• Based on RC4 algorithm plus a 24-bit IV (Initial
  Vector)
• IV is included in each packet to ensure data
  integrity
• Stream Cipher
• optional for 802.11

40
How WEP Works
41
Problems with WEP

• Key Generation
• ICV Generation
• WEP Attacks

42
Key generation problems

• The main problem of WEP is Key Generation.
• Key distribution is done manually.
• Secret Key is too small, only 40 Bits.
• Very susceptible to brute force attacks.
• IV is too small.
• Only 16 Million different possibilities for every
  packet.
• Secret Keys are accessible to user, therefore not
  secret.

43
ICV generation problems

• The ICV is generated from a cyclic redundancy
  check (CRC-32)
• Only a simple arithmetic computation. Can be done
  easily by anyone.
• Not cryptographically secure.

44
Attacks

• Replay
• Statistical gathering of certain ciphertext that
  once sent to server will cause wanted reaction.
• IP redirection
• The access point will decrypt the packet, and
  send the packet off to its (new) destination.
• Denial of Service Attacks
• Flooding the 2.4Ghz frequency with noise.

45
Security Flaws

• The risks of keystream reuse
• If C1 P1?RC4(IV,k)
• and C2 P2?RC4(IV,k)
• then
• C1 ? C2 ( P1?RC4(IV,k)) ?(
  P2?RC4(IV,k))
• P1 ? P2
• The WEP standard recommends(but does not require)
  that the IV be changed after every packet.

46
Reuse Initialization Vector

• The IV field used bye WEP is only 24 bits wide,
  nearly guaranteeing that the same IV will be
  reused for multiple messages.
• packet size 2000-byte
• at average 5Mbps bandwidth
• ( ( (2000 ?8)/(5 ?106)) ? 224)/360014
  hours
• PCMCIA cards that they tested reset the IV to 0
  each time its re-initialized, and the IV is
  incremented by one for each packet.

47
Decryption Dictionaries

• Some access points transmit broadcast messages in
  plaintext and encrypted form when access control
  is disabled.
• The attacker can build a table of the keystream
  corresponding to each IV.
• It does not matter if 40 bits or 104 bits shared
  secret key use as the attack centers on the IV
  collision.

48
Message Modification

• The WEP checksum is a linear function of the
  message.
• ? may be chosen arbitrarily bye the attacker
• A?(B) ltIV, Cgt
• (A)?B ltIV, Cgt
• C C ? lt ?,c(?)gt
• RC4(IV,k) ? ltM, c(M)gt ? lt ?,c(?)gt
• RC4(IV,k) ? ltM ? ?, c(M) ? c(?)gt
• RC4(IV,k) ? ltM ? ?, c(M ? ?)gt
• RC4(IV,k) ? ltM, c(M)gt
• MM ? ?

49
Message Injection

• It is possible to reuse old IV values without
  triggering any alarms at the receiver.
• That is, if attacker ever learns the complete
  plaintext P of any given ciphertext packet C, he
  can recover keystream used to encrypt the packet.
• P ? C P ? (P?RC4(IV,k)) RC4(IV,k)
• (A)?B ltIV,Cgt
• where C ltM, c(M) gt ?
  RC4(IV,k)

50
Authentication Spoofing

• The message injection attack can be used to
  defeat the shared-key authentication mechanism
  used by WEP.
• The attacker learns both the plaintext challenge
  sent by the access point and the encrypted
  version sent by the mobile station.

51
RFID Radio Frequent Identification
52
The technologies - RFID

• Provides a means of retrieving information stored
  on a tag using radio frequencies
• Function
• Identify
• Provide information
• Instruct downstream
• operations
• Benefit
• Doesnt require line of sight
• High speed multiple read capability
• Accurate
• Can be read in harsh environments
• Difficult to counterfeit
• Can carry large amounts of data
• Can be read and written
• price prohibitive for most consumer packs
• primarily used for returnable systems

53
Components of RFID

• A basic RFID system consist of three components
• An antenna or coil
• A transceiver (with decoder)
• A transponder (RF tag) electronically programmed
  with unique information

54
Some samples
55
RFID example warehouse management

• Standard barcode label printer fitted with RFID
  option
• Special labels with RFID tag embedded
• In one single operation
• Printing of label
• Writing of Data to tag

56
Wireless sensor network
57
Wireless sensor network

• Wireless sensor network is an emerging technique
  that can be used for various application areas.
• New challenges come from the environment of
  sensor network, such as security, power
  management.

58
Sensor networks communication architecture
59
Design factors

• Fault tolerance
• Scalability
• Production costs
• Hardware constraints
• Sensor network topology
• Environment
• Transmission media
• Power consumption

60
Sensor nodes example

• SmartDust node (Berkeley)

• Our sensor node (NCTU)

• Systronix JStamp Processor (Utah)

61
Sensor node

• Compact, small and low power device.
• Limited processing, storage, bandwidth and energy.

62
Characteristics of prototype SmartDust Nodes
63
Differ from wireless ad hoc networks

• Densely deployed.
• Prone to failures.
• Share one broadcast communication paradigm
• Limited in power, computational capacities, and
  memory.
• No global ID because of the large amount of
  overhead and large number of sensors.

64
Security requirements for sensor networks

• Data confidentiality
• Design more efficient encryption methods
• Low cost encryption methods, like RC5, RC6, AES.
• Data authentication
• Two party
• Broadcast
• Data integrity
• Data freshness

65
Security issues

• More efficient encryption and authentication
  protocols
• Secure data aggregation
• Secure routing
• Key management

66
Applications

• Military applications
• Habitat monitoring applications
• Environment observation and forecasting system
  (EOFS)
• Health applications
• Structure health monitoring (SHM) system
• Home applications, office applications