Security Techniques For Wireless Protocols

1
Security Techniques For Wireless Protocols

• Protecting an Inherently Insecure Medium
• R. K. Coleman
• 3e Technologies International, Inc.

2
The 3eTI Total Security Solution
Whether on Navy Ships, Army Tanks or in the
Enterprise Wireless Security is Essential
3
The Wireless Security Landscape

• For wireless security, symmetric-key encryption
  using U.S. Government-approved AES encryption is
  an accepted methodology.
• IEEE 802.11i, IEEE 802.15.4, and Bluetooth all
  employ a cross-layered approach to security.
• All three wireless protocols rely on private
  encryption keys therefore, key management over
  the insecure wireless channel has emerged as a
  problem of chief concern.
• 802.11i uses Extensible Authentication Protocol
  (EAP) over LAN to perform authentication and
  mutual key derivation.
• ZigBee will employ Elliptic Curve Cryptographic
  (ECC) techniques to derive and manage encryption
  keys.
• 3eTI provides an innovative Dynamic Key Exchange
  (DKE) technique that leverages Diffie-Hellman and
  RSA to securely exchange keys between a wireless
  Access Point and Client Device.
• 3eTI wireless products have been rigorously
  tested and validated against NIST / NSA
  standards, ensuring top-tier security solutions
  for the discerning wireless consumer.

4
Background AES

• In Federal Information Processing Standards
  Publication 197 (FIPS PUB 197), the U.S. National
  Institute of Standards and Technology (NIST)
  officially endorses the Rijndael algorithm to be
  used as the Advanced Encryption Standard (AES) in
  cryptographic systems throughout Federal
  Agencies.
• Where Rijndael stood out was in its compact
  number of rounds required to produce a
  significant level of entropy.

Streamlined for HW or SW
Comparison of AES Contending Algorithm Rounds /
Stages
5
Rijndael Qualities

• Rijndael advantages
• Fast (for a block cipher) on general purpose
  processors.
• Can be compactly implemented on Smart Cards.
• Its round transformation is parallel by design.
• Rijndael does not rely on arithmetic operators
  as such it contains no bias
• in favor of big or little-endian architectures.
  
• The cipher does not base its security in full or
  in part on obscure or not
• mathematically well-understood operations.
• For completeness, a disadvantage of Rijndael is
  that the inverse cipher required for decryption
  is more processing-intensive and less optimal
  than the forward cipher it takes more code and
  consumes more clock cycles.
• Also, the Rijndael cipher and its inverse make
  use of different code and tables, so in hardware,
  the inverse cipher can only partially re-use the
  circuitry that implements the forward cipher.
• Regardless of these disadvantages, Rijndael has
  stood up to much scrutiny in its 3-year selection
  process, has solid overall encryption qualities,
  and has been projected to have a useful lifetime
  similar to 3DES, or on the order of 20 years.

6
Simplicity of AES ECB Mode

• Electronic codebook mode (ECB) is the simplest
  and most obvious way to use the AES block cipher.
  In this mode, no chaining or feedback is
  employed, and the same block of plaintext always
  encrypts to the same block of ciphertext.
• AES ECB is straightforward, easy to implement and
  well-suited to streamlined, high-performance
  processing.
• However, the fact that the same block of
  plaintext always encrypts to the same block of
  ciphertext with ECB mode is a weakness.
• The constant data in the plaintext will produce
  constant data in the ciphertext, allowing a
  cryptanalyst to glean information about the
  plaintext and to mount statistical attacks,
  irrespective of the strength of the AES block
  cipher.
• A cryptanalyst who has the plaintext and
  ciphertext for several messages can start to
  compile a codebook without knowledge of the
  actual encryption key.

7
Strengths of AES CCMP

• The CCMP protocol combines Counter (CTR) mode
  encryption for data privacy or confidentiality,
  and Cipher Block Chaining Message Authentication
  Code (CBC-MAC) authentication, for an
  authenticate-and-encrypt process.
• CCMP has two prominent advantages for IEEE 802.11
  security
• First, it is particularly useful because it
  computes the CBC-MAC over the
• IEEE 802.11 header length, selected parts of the
  IEEE 802.11 MAC
• Payload Data Unit (MPDU) header, and the
  plaintext MPDU data
• whereas the old IEEE 802.11 WEP mechanism
  provided no protection to
• the MPDU header.
• Secondly, both CCMP encryption and decryption
  employ only the forward
• AES block cipher function. In this way CCMP
  avoids use of the inverse
• AES cipher which is more costly and processing
  intensive.
• The CCMP implementation does not have to complete
  calculation of the message authentication code
  before CTR encryption can begin, allowing
  parallel implementation of both modes.
• The benefits of performing authentication and
  encryption on each data packet are clear, as
  opposed to encryption alone.

8
Benefits of Elliptic Curve Cryptography

• The elliptic curve discrete logarithm problem
  rests on mathematics that make it possible to
  define the addition of two points on the elliptic
  curve
• The problem can be defined as follows Fix an
  elliptic curve such
• that P and Q are both points on the curve, and
  xP represents the
• point P added to itself x times. Q is a multiple
  of P, so that Q xP
• for some x. The elliptic curve discrete
  logarithm problem is to
• determine x given P and Q.
• The elliptic curve discrete logarithm problems
  best general-purpose solution requires
  fully-exponential time.
• Due to the complexity of the elliptic curve
  discrete logarithm problem that Elliptic Curve
  Cryptography poses versus the relative ease of
  implementing the algorithm, ECC provides a very
  high level of security strength-per-key-bit when
  compared with other public-key cryptographic
  systems including RSA, ElGamal, and DSA.
• The strength, as well as the computational
  efficiency and relative compactness make
  ECC/ECDSA very attractive for use in handheld
  devices and other low-power, miniaturized devices
  where space and power are at a premium exactly
  the applications ZigBee will target.

9
Bluetooth Security LAN Access Profile A
Cross-Layered Approach
10
IEEE 802.11i and Key Management

• For wireless systems using a noisy, inherently
  insecure channel, key management and mutual key
  derivation are at least as critical as the actual
  encryption cipher that is chosen and employed.
• IEEE 802.11i includes specifications on
  encryption, authentication and key management in
  a multi-layered approach to security.
• IEEE 802.1X-based authentication mechanisms are
  used, with AES in CCMP mode, to establish an
  802.11 Robust Security Network (RSN).
• IEEE 802.1X-2001 defines a framework based on the
  Extensible Authentication Protocol (EAP) over
  LANs (EAPoL). EAPoL is used to exchange EAP
  messages. These EAP messages execute an
  authentication sequence and are used for key
  derivation between a Station (STA) and an EAP
  entity known as the Authentication Server.
• EAP is not tied to any particular authentication
  algorithm and is therefore highly extensible. It
  defines a small number of messages used to
  communicate between the Authentication Server and
  the EAP Client.
• The Authenticator and Supplicant use the 802.11i
  four-way handshake to mutually authenticate and
  to mutually derive the necessary encryption and
  authentication keys.

11
EAP For Key Management Exchange
EAPoL carries EAP messages between the Supplicant
and the Authenticator, which acts as a relay for
EAP packets by extracting them from within the
EAPoL frames and sending those EAP packets to the
Authentication Server over the secure channel.
12
OSI Layer 2 Protection vs. IPSec Layer 3 VPNs

• IPSec provides an Encapsulating Security Payload
  (ESP), which is a protocol header inserted into
  an Internet Protocol (IP) datagram at the (layer
  3) network layer.
• IPSec is intended to provide confidentiality,
  data origin authentication, antireplay, and data
  integrity services to IP frames.
• Virtual Private Networks (VPNs) typically rely on
  IPSec for implementing secure tunnels.
• The drawback to this approach is that for
  wireless systems, the datalink (layer 2)
• and physical (layer 1) frames are completely
  unprotected using IPSec alone.
• Spoofing and replay attacks on the MPDU and
  physical layer packets are possible.
• For wireless traffic, security at layer 2 and
  above is advisable.
• 3eTI is developing AES for encryption and
  authentication at the datalink layer in
  accordance with IEEE 802.11i, providing secure
  protection of the wireless packet(s).
• Combined with dynamic key exchange and careful
  key management, MAC-sublayer AES CCMP provides
  strong protection of the wireless frames.
• IPSec can still be used in the network above AES
  CCMP, for multi-layer security to provide
  comprehensive protection.

13
Approach to Dynamic Key Exchange
Security Server
Wireless Access Point
Wireless Client
2. MAC Listening
3. Start WLAN client
1. Listening
4. Client sets up card SSID selected
Security Server asks client for Certificate and
Sends its own certificate to client for mutual
authentication
5. Pre-Authentication Connection
6. Client starts authentication
7. AP pass-through
8. Challenges client (EAP-TLS)
(EAP/TLS authentication process between
security server and wireless client)
10. Sends its DH public key to Security Server
Sends prime number
9. Sends auth-success
11. Sends its DH public key and AES-encrypted TLS
key
12. Calculates the DH session key decrypts the
TLS key
13. Sends success to client
15. Sets broadcast / unicast keys
14. Sends broadcast key to client
Key Exchange Ends Successfully
Summary All packets are authenticated using
HMAC-SHA-1 (per packet authentication) Between
Wireless Access Point and Security Server. They
have a shared secret.
Note DH Diffie Hellman, TLS Transport Layer
Security
14
FIPS 140-2 Validation and CC Certification

• FIPS 140-2 is focused on Cryptography and the
  protection of Cryptographic Keys.
• The main objective of the Common Criteria (CC)
  initiative was to create standard methods for the
  specification, design and evaluation of IT
  security products that would be widely accepted
  and established, yielding consistent levels of
  Information Assurance within the security
  community.
• The determination of acceptable cryptographic
  algorithms is within the domain of FIPS 140-2 for
  cryptographic systems deployed in Federal
  agencies.
• The scope of the CC involves specifying strength
  of function, proving that configuration
  management is specified and practiced in the TOE
  development, and that an assurance maintenance
  plan is specified and executed to maintain the
  information assurance level of the TOE when new
  product features are added.
• In this way, FIPS 140-2 and CC are complementary
  in ensuring a correctly-constructed and
  strongly-secure wireless end-to-end system is
  developed and deployed, and that the appropriate
  level of security is maintained throughout the
  product life-cycle.

15
Common Criteria FIPS 140-2For IA-Enabled
Products
16
Future Directions

• 3eTI sees a growing trend toward including active
  intrusion prevention to secure future networks.
• This includes the use of directional antennas,
  with adaptive beamforming and null-steering, to
  effectively provide an invisible fence or
  RF-boundary (layer 1) around the deployed
  wireless LAN.
• Smart antennas are coming down in cost and
  therefore becoming more practical for enterprise
  or company-wide 802.11 networks.
• These smart antennas will be used to complete the
  multi-layered security approach by adding
  physical-layer security techniques to the
  existing datalink and higher-layer techniques.
• 3eTI has used Small Business Innovation Research
  (SBIR) contract vehicles to actively pursue
  research in the area of 802.11 intrusion
  prevention and smart antenna development, which
  will in the future reinforce the wireless
  infrastructures.
• Adaptive beamforming and beamsteering, coupled
  with 802.11i constructs and other higher-layer
  intrusion prevention techniques, provide a
  multi-layered approach to security that is
  necessary to ensure wireless LANs become a
  transparent and fully-utilized extension of
  traditional wired networks.