Last class

1
Last class

• Ethernet
• Hubs and Switches
• Mobile and wireless networks, CDMA
• Today
• CDMA and IEEE 802.11 wireless LANs
• Network security

2
10BaseT and 100BaseT Ethernet

• Uses CSMA/CD
• 10/100 Mbps rate latter called fast ethernet
• T stands for Twisted Pair
• Nodes connect to a hub star topology 100 m
  max distance between nodes and hub

3
Interconnecting with hubs

• Pros
• Enables interdepartmental communication
• Extends max distance btw. nodes
• If a hub malfunctions, the backbone hub can
  disconnect it

• Cons
• Collision domains are transferred into one large,
  common domain
• Cannot interconnect 10BaseT and 100BaseT hubs

hub
hub
hub
hub
4
Switch traffic isolation

• switch installation breaks subnet into LAN
  segments
• switch filters packets
• same-LAN-segment frames not usually forwarded
  onto other LAN segments
• segments become separate collision domains

collision domain
collision domain
collision domain
5
Wireless network characteristics

• Multiple wireless senders and receivers create
  additional problems (beyond multiple access)

• Hidden terminal problem
• B, A hear each other
• B, C hear each other
• A, C can not hear each other
• means A, C unaware of their interference at B

• Signal fading
• B, A hear each other
• B, C hear each other
• A, C can not hear each other interferring at B

6
Overview

• CDMA and IEEE 802.11 wireless LANs
• Network security

7
Code Division Multiple Access (CDMA)

• used in several wireless broadcast channels
  (cellular, satellite, etc) standards
• unique code assigned to each user i.e., code
  set partitioning
• all users share same frequency, but each user has
  own chipping sequence (i.e., code) to encode
  data
• encoded signal (original data) X (chipping
  sequence)
• decoding inner-product of encoded signal and
  chipping sequence
• allows multiple users to coexist and transmit
  simultaneously with minimal interference (if
  codes are orthogonal)

8
CDMA Encode/Decode
channel output Zi,m
Zi,m di.cm
data bits
sender
slot 0 channel output
slot 1 channel output
code
slot 1
slot 0
received input
slot 0 channel output
slot 1 channel output
code
receiver
slot 1
slot 0
9
CDMA two-sender interference
10
Overview

• CDMA and IEEE 802.11 wireless LANs
• Network security

11
IEEE 802.11 Wireless LAN

• 802.11b
• 2.4-5 GHz unlicensed radio spectrum
• up to 11 Mbps
• direct sequence spread spectrum (DSSS) in
  physical layer
• all hosts use same chipping code
• widely deployed, using base stations

• 802.11a
• 5-6 GHz range
• up to 54 Mbps
• 802.11g
• 2.4-5 GHz range
• up to 54 Mbps
• All use CSMA/CA for multiple access
• All have base-station and ad-hoc network versions

12
802.11 LAN architecture

• wireless host communicates with base station
• base station access point (AP)
• Basic Service Set (BSS) (aka cell) in
  infrastructure mode contains
• wireless hosts
• access point (AP) base station
• ad hoc mode hosts only

hub, switch or router
BSS 1
BSS 2
13
802.11 Channels, association

• 802.11b 2.4GHz-2.485GHz spectrum divided into 11
  channels at different frequencies
• AP admin chooses frequency for AP
• interference possible channel can be same as
  that chosen by neighboring AP!
• host must associate with an AP
• scans channels, listening for beacon frames
  containing APs name (SSID) and MAC address
• selects AP to associate with
• may perform authentication Chapter 8
• will typically run DHCP to get IP address in APs
  subnet

14
IEEE 802.11 multiple access

• avoid collisions 2 nodes transmitting at same
  time
• 802.11 CSMA - sense before transmitting
• dont collide with ongoing transmission by other
  node
• 802.11 no collision detection!
• difficult to receive (sense collisions) when
  transmitting due to weak received signals
  (fading)
• cant sense all collisions in any case hidden
  terminal, fading
• goal avoid collisions CSMA/C(ollision)A(voidance
  )

15
IEEE 802.11 MAC Protocol CSMA/CA

• 802.11 sender
• 1 if sense channel idle for DIFS then
• transmit entire frame (no CD)
• 2 if sense channel busy then
• - start random backoff time
• - timer counts down while channel idle
• - transmit when timer expires
• - if no ACK, increase random backoff interval,
  repeat 2
• 802.11 receiver
• - if frame received OK
• return ACK after SIFS (ACK needed due to
  hidden terminal problem)

sender
receiver
16
Avoiding collisions (more)

• idea allow sender to reserve channel rather
  than random access of data frames avoid
  collisions of long data frames
• sender first transmits small request-to-send
  (RTS) packets to BS using CSMA
• RTSs may still collide with each other (but
  theyre short)
• BS broadcasts clear-to-send CTS in response to
  RTS
• RTS heard by all nodes
• sender transmits data frame
• other stations defer transmissions

Avoid data frame collisions completely using
small reservation packets!
17
Collision Avoidance RTS-CTS exchange
A
B
AP
defer
time
18
802.11 frame addressing
Address 4 used only in ad hoc mode
Address 1 MAC address of wireless host or AP to
receive this frame
Address 3 MAC address of router interface to
which AP is attached
Address 2 MAC address of wireless host or AP
transmitting this frame
19
802.11 frame addressing
H1
R1
20
802.11 mobility within same subnet

• H1 remains in same IP subnet IP address can
  remain same
• switch which AP is associated with H1?
• self-learning (Ch. 5) switch will see frame from
  H1 and remember which switch port can be used
  to reach H1

hub or switch
BBS 1
AP 1
AP 2
H1
BBS 2
21
Network Security

• What is network security?
• Principles of cryptography
• Authentication
• Access control firewalls
• Attacks and counter measures

22
What is network security?

• Confidentiality only sender, intended receiver
  should understand message contents
• sender encrypts message
• receiver decrypts message
• Authentication sender, receiver want to confirm
  identity of each other
• Message Integrity sender, receiver want to
  ensure message content not altered (in transit,
  or afterwards) without detection
• Access and Availability services must be
  accessible and available to users

23
Friends and enemies Alice, Bob, Trudy

• well-known in network security world
• Bob, Alice (lovers!) want to communicate
  securely
• Trudy (intruder) may intercept, delete, add
  messages

Alice
Bob
data, control messages
channel
secure sender
secure receiver
data
data
Trudy
24
Who might Bob, Alice be?

• well, real-life Bobs and Alices!
• Web browser/server for electronic transactions
  (e.g., on-line purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
• other examples?

25
There are bad guys (and girls) out there!

• Q What can a bad guy do?
• A a lot!
• eavesdrop intercept messages
• actively insert messages into connection
• impersonation can fake (spoof) source address in
  packet (or any field in packet)
• hijacking take over ongoing connection by
  removing sender or receiver, inserting himself in
  place
• denial of service prevent service from being
  used by others (e.g., by overloading resources)

more on this later
26
Overview

• What is network security?
• Principles of cryptography
• Authentication
• Access control firewalls
• Attacks and counter measures

27
The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext

• symmetric key crypto sender, receiver keys
  identical
• public-key crypto encryption key public,
  decryption key secret (private)

28
Symmetric key cryptography

• substitution cipher substituting one thing for
  another
• monoalphabetic cipher substitute one letter for
  another

plaintext abcdefghijklmnopqrstuvwxyz
ciphertext mnbvcxzasdfghjklpoiuytrewq
E.g.
Plaintext bob. i love you. alice
ciphertext nkn. s gktc wky. mgsbc

• Q How hard to break this simple cipher?
• brute force (how hard?)
• other?

29
Symmetric key cryptography
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
A-B

• symmetric key crypto Bob and Alice share know
  same (symmetric) key K
• e.g., key is knowing substitution pattern in mono
  alphabetic substitution cipher
• Q how do Bob and Alice agree on key value?

A-B
30
Symmetric key crypto DES

• DES Data Encryption Standard
• US encryption standard NIST 1993
• 56-bit symmetric key, 64-bit plaintext input
• How secure is DES?
• DES Challenge 56-bit-key-encrypted phrase
  (Strong cryptography makes the world a safer
  place) decrypted (brute force) in 4 months
• no known backdoor decryption approach
• making DES more secure
• use three keys sequentially (3-DES) on each datum
• use cipher-block chaining

31
Symmetric key crypto DES

• initial permutation
• 16 identical rounds of function application,
  each using different 48 bits of key
• final permutation

32
AES Advanced Encryption Standard

• new (Nov. 2001) symmetric-key NIST standard,
  replacing DES
• processes data in 128 bit blocks
• 128, 192, or 256 bit keys
• brute force decryption (try each key) taking 1
  sec on DES, takes 149 trillion years for AES

33
Public Key Cryptography

• symmetric key crypto
• requires sender, receiver know shared secret key
• Q how to agree on key in first place
  (particularly if never met)?

• public key cryptography
• radically different approach Diffie-Hellman76,
  RSA78
• sender, receiver do not share secret key
• public encryption key known to all
• private decryption key known only to receiver

34
Public key cryptography

Bobs public key
K
B
-
Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
35
Public key encryption algorithms
Requirements
.
.

-

• need K ( ) and K ( ) such that

B
B

given public key K , it should be impossible to
compute private key K
B
-
B
RSA Rivest, Shamir, Adelson algorithm