NCEL

1
Welcome!

• NCEL
• May 1, 2003
• Minneapolis, MN
• Ensuring Security in Wireless Applications
• Dan Blome, Senior Applications Engineer
• Locus, Incorporated
• www.locusinc.com

2
Todays Agenda

• Who is Locus?
• Security--Whats the Big Deal?
• Security Safeguards
• Frequency Hopping Spread Spectrum (FHSS)
• CRCs and ARQs
• Encryption-- Where and How Makes all the
  Difference
• Proprietary vs. Open Architecture
• Security Issues With 802.11b
• Authentication TKIP

3
Locus Profile

• Founded in 1979 in Madison, WI
• Privately-held
• 35 experienced team members
• Two product lines
• Industrial radios
• Loran-C timing and navigation receivers
• Customers include
• Motorola, USCG, Leica Geosystems, and AMCO
  Automated Systems

4
Why is Locus Qualified to Talk About Wireless
Security?

• Locus has been designing and supporting secure
  wireless networks for 25 years
• Security is of utmost importance to our customers
  which span military, governmental, municipal and
  industrial sectors
• We engineer our own products, own our code, and
  create our own architecture

5
Security. Whats the Big Deal?

• Depending on your industry, security may or may
  not be an obvious issue
• Regardless, giving unauthorized people access to
  your data is risky
• Access means a person cannot only see your data,
  they can change your data and share your data!

6
Wireless Security Safeguards

• Frequency Hopping Spread Spectrum Technology
  (FHSS)
• CRCs and ARQs
• Encryption at the firmware level
• Proprietary, non-open architecture

7
Frequency Hopping Spread Spectrum, Basics (FHSS)

• A transmitted signal is spread over a wide
  frequency band
• What is sent over the air is intentionally
  different from actual data
• The benefits of spreading the signal are
• signal is immune to unwanted noise/interference
• signal is immune to snooping/access

8
FHSS, continued...

• Locus radios signals hop among 79 frequencies
  in the 2.4ghz band in a predetermined, apparently
  random pattern unique to that network
• Spread Spectrum is different from Direct Sequence
  which continuously spreads data over a wide
  portion of the frequency band instead of hopping

9
Frequency Hopping vs. Direct Sequence Spread
Spectrum
10
FHSS, continued...

• Each radio network utilizes its own frequency
  hopping pattern

11
FHSS, continued...

• Only radios in that network can detect and
  communicate with other radios in that network
• A radio from another network would have a
  different hopping pattern
• A different brand of radio may or may not utilize
  FHSS at all, but if it did, its hopping sequence
  would also be different from a Locus radio network

12
FHSS, continued...

• Frequency hopping is less vulnerable to
  interference, because the frequency is always
  shifting
• It is very difficult to intercept a frequency
  hopping communication one must jam the whole
  band to attack

13
Cyclic Redundancy Checks (CRCs) Automatic
Resend Queries (ARQs)

• Security means more than knowing someone else
  isnt seeing your data
• It means knowing your ARE seeing your data!
• Locus uses CRCs and ARQs to make sure you are
  receving error-free data

14
Whats a Cyclic Redundancy Check?

• A Cyclic Redundancy Check (CRC) is an industry
  standard method of ensuring data integrity
• To ensure that a message made it to the
  destination intact, the most straightforward
  method would be to check it word for word or
  bit for bit to make sure that it is what it
  should be
• But that would mean sending the message at least
  twice so that two messages could be compared with
  each other to make sure that they agree!

15
CRCs, continued...

• So, as not to waste that bandwidth, a shorter
  representation of the message is tacked on the
  end, called the CRC
• Since the CRC is shorter than the actual message,
  it isnt a perfect bit for bit check of
  integrity, and the longer the CRC, the better
  its ability to flag an error in the message
• Common CRC lengths range from 8 bits to 32 bits
• The 32-bit CRC that Locus uses, in conjunction
  with the rest of the correlation mechanisms in
  the radio, ensure that packets passed to the user
  contain accurate data only

16
Whats an Automatic Resend Query?

• An Automatic Resend Query (ARQ) is a method of
  asking that a packet be re-sent from one radio
  to another if the packet arrived with an error
  originally
• Locus radios use a common communications method
  between radios to have packets resent if they are
  received in error, and the sending radio
  transmits the packet over the air
• The receiving radio checks the CRC to make sure
  it received the packet without errors

17
ARQs, continued...

• If there were no errors, the receiving radio
  sends an acknowledgement packet (ACK) to the
  sender indicating that the message was received
  intact
• If the sender does not receive the ACK, it
  resends the message (up to a specified amount of
  time) until it does receive the ACK

18
CRCs ARQs in Summary

• Your data travels in packets, which like trains,
  have engines and cabooses (starts and stops)
• Radios are looking for those starts and stops in
  CRCs
• If an error is detected, the radio will issue an
  ARQ which says, Send that one again!
• This all happens transparently,
• behind-the-scenes

19
Encryption. What is it?

• Essentially, encryption is disguising your data
• Keys are used to mask your data
• The encryption used today is known as ARC4 with
  128 bit key
• In addition, Locus implements an algorithm in its
  encryption which significantly distances the key
  from the encrypted data

20
Encryption, continued...

• Each radio frequency packet you send over a Locus
  radio is encrypted, and the encryption happens
  INSIDE THE RADIO
• This means that no un-encrypted data passes over
  the air
• Since the encryption happens INSIDE THE RADIO, it
  is impossible to intercept the data stream

21
Encryption, continued...

• The data can only be deciphered by the receiving
  Locus radio
• Locus radios also discard improperly encrypted
  data (possibly foreign or introduced) so it is
  virtually impossible for someone to
  (intentionally or accidentally) add data to the
  Locus data stream

22
Proprietary Architecture

• Locus radios do not conform to open standards,
  they are designed only to talk with one another
• Third-party radios cannot circumvent Locus
  security, nor can freeware programs such as
  AirSnort because they have different architecture
• No other radio uses the same architecture that
  Locus does

23
In Summary

• In order for Locus radio data to be accessed
• The radios must be Locus radios
• The radios must be on the same Locus radio
  network
• The radios must be on the identical frequency
  hopping channel
• Both must have the same encryption key
• Both must have Locus proprietary architecture

24
802.11b

• Wireless devices such as 802.11b (Wi-Fi radios)
  are intended for consumer and office
  applications, not harsh industrial settings
• They are specifically designed to meet open
  standards and are intended to be easily
  interfaced to other similar devices
• What makes 802.11b radios open also makes them
  vulnerable and less secure

25
Increasing 802.11b Security

• 802.1x Authentication
• TKIP Encryption

26
Authentication

• Authentication is the process by which 2 radios
  link to each other
• Open System and Shared Key are the common
  authentication schemes in 802.11b
• In both, the Access Point validates that the
  client (PC) is allowed to communicate with it
• Open System uses no encryption
• Shared Key does request that the client returns
  a message that has been encrypted and verifies
  that it matches its own before granting access...

27
Authentication, continued...
however, it is easily possible for an unwanted
user to pretend to be an Access Point and grant
access to it, without having any key at all. The
rogue Access Point can then begin listening to
the encrypted data of the client and work on
cracking the encryption key.
28
Authentication, continued...

• Locus prevents unwanted authentication in that
  both of the radios that form a link must share
  the same encryption key BEFORE the link is
  established.
• If both radios do not have PRIOR knowledge of the
  key, the radios will not link and the encrypted
  data does not pass.

29
Standard 802.11 b Encryption

• Off-the-shelf 802.11b encryption is flawed in
  that it is possible to inspect encrypted data,
  then work your way back to the key that generated
  it.

30
What is TKIP Encryption?

• Temporal Key Integrity Protocol
• distances the encryption key from the actual data
  by performing several alogorithms to the key
  before generating the encrypted data
• performs dynamic key management (changes the
  temporal keys frequently)
• performs message integrity checks to prevent
  forgery and replay

31
In Summary

• Wireless is made secure through
• Inherent security within Frequency Hopping Spread
  Spectrum (FHSS) technology
• CRCs and ARQs
• Varations of encryption authentication
• Proprietary or non-open architectures

32
Thank You!

• Any Questions?
• Dan Blome, Senior Applications Engineer
• blome_at_locusinc.com
• www.locusinc.com