Redes Inalámbricas – Tema 6 . Seguridad
104
REDES INALÁMBRICAS Máster de Ingeniería de Computadores-DISCA Redes Inalámbricas – Tema 6. Seguridad La tecnología 802.11: WEP y el estándar 802.11i Seguridad en MANET
description
Redes Inalámbricas – Tema 6 . Seguridad. La tecnología 802.11: WEP y el estándar 802.11i Seguridad en MANET. WEP y IEEE802.11i. Wireless LAN Security Issues. Issue Wireless sniffer can view all WLAN data packets Anyone in AP coverage area can get on WLAN. 802.11 WEP Solution - PowerPoint PPT Presentation
Transcript of Redes Inalámbricas – Tema 6 . Seguridad
REDES INALÁMBRICAS Máster de Ingeniería de Computadores-DISCA
Redes Inalámbricas – Tema 6. Seguridad
La tecnología 802.11: WEP y el estándar 802.11i
Seguridad en MANET
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Wireless LAN (WLAN)
Wireless LAN Security IssuesIssue Wireless sniffer can view all WLAN
data packets Anyone in AP coverage area can get
on WLAN
802.11 WEP Solution Encrypt all data transmitted
between client and AP Without encryption key, user
cannot transmit or receive data
Wired LAN
Goal: Make WLAN security equivalent to that of wired LANs (Wired Equivalent Privacy)
client access point (AP)
WEP y IEEE802.11i2
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WEP – Protection for 802.11b Wired Equivalent Privacy
No worse than what you get with wire-based systems. Criteria:
“Reasonably strong” Self-synchronizing – stations often go in and out of coverage Computationally efficient – in HW or SW since low MIPS CPUs might be
used Exportable – US export codes (relaxed in Jan 2000 / “Wassenaar
Arrangement”) Optional – not required to used it
Objectives: confidentiality integrity authentication
WEP y IEEE802.11i3
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WEP – How It Works Secret key (40 bits or 104 bits)
can use up to 4 different keys Initialization vector (24 bits, by IEEE std.)
total of 64 or 128 bits “of protection.” RC4-based pseudo random number generator (PRNG) Integrity Check Value (ICV): CRC 32
IV(4 bytes)
Data (PDU)( 1 byte)
Init Vector(3 bytes)
1 bytePad
6 bitsKey ID2 bits
Frame header
ICV(4 bytes) FCS
WEP y IEEE802.11i4
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WEP Encryption Process
1) Compute ICV using CRC-32 over plaintext msg.2) Concatenate ICV to plaintext message.3) Choose random IV and concat it to secret key and input it to
RC4 to produce pseudo random key sequence.4) Encrypt plaintext + ICV by doing bitwise XOR with key
sequence to produce ciphertext.5) Put IV in front of cipertext.
InitializationVector (IV)Secret Key
Plaintext
Integrity Algorithm
Seed WEP PRNG
Key Sequence
Integrity Check Value (ICV)
IV
Ciphertext Message
WEP y IEEE802.11i5
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WEP Decryption Process
1) IV of message used to generate key sequence, k.2) Ciphertext XOR k original plaintext + ICV.3) Verify by computing integrity check on plaintext (ICV’) and
comparing to recovered ICV.4) If ICV ICV’ then message is in error; send error to MAC
management and back to sending station.
IVCiphertext
Secret Key
Message
WEP PRNGSeed
Key Sequence
Integrity Algorithm
Plaintext
ICV’ICV
ICV’ - ICV
WEP y IEEE802.11i6
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WEP Station Authentication Wireless Station (WS) sends
Authentication Request to Access Point (AP).
AP sends (random) challenge text T. WS sends challenge response
(encrypted T). AP sends ACK/NACK.
WS APAuth. Req.
Challenge Text
Challenge Response
Ack
WEP y IEEE802.11i
Client
AP
Access Point
Authentication RequestChallenge
ENC SharedKey {Challenge}Success/Failure
Shared WEP Key
7
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WEP Weaknesses Forgery Attack
Packet headers are unprotected, can fake src and dest addresses. AP will then decrypt data to send to other destinations. Can fake CRC-32 by flipping bits.
Replay Can eavesdrop and record a session and play it back later.
Collision (24 bit IV; how/when does it change?) Sequential: roll-over in < ½ day on a busy net Random: After 5000 packets, > 50% of reuse.
Weak Key If ciphertext and plaintext are known, attacker can determine key. Certain RC4 weak keys reveal too many bits. Can then determine RC4
base key. Well known attack described in Fluhrer/Mantin/Shamir paper
“Weaknesses in the Key Scheduling Algorithm of RC4”, Scott Fluhrer, Itsik Mantin, and Adi Shamir
using AirSnort: http://airsnort.shmoo.com/ Also: WEPCrack
http://wepcrack.sourceforge.net/
WEP y IEEE802.11i8
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Ways to Improve Security with WEP Use WEP(!) Change wireless network name from
default any, 101, tsunami
Turn on closed group feature, if available in AP Turns off beacons, so you must
know name of the wireless network MAC access control table in AP
Use Media Access Control address of wireless LAN cards to control access
Use Radius support if available in AP Define user profiles based on user
name and password
War Driving in New Orleans (back in December 2001) Equipment
Laptop, wireless card, software GPS, booster antenna (optional)
Results 64 Wireless LAN’s Only 8 had WEP Enabled (12%) 62 AP’s & 2 Peer to Peer
Networks 25 Default (out of the box)
Settings (39%) 29 Used The Company Name
For ESSID (45%)
WEP y IEEE802.11i9
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 War Driving
Locating wireless access points while in motion http://www.wardrive.net/
Adversarial Tools Laptop with wireless adapter External omni-directional antenna Net Stumbler or variants http://www.netstumbler.com/ GPS With GPS Support
Send constant probe requests
10
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
War Driving in New Orleans (back in December 2001)
WEP y IEEE802.11i11
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Quick and dirty 802.11 Security Methods
SSID Closed mode MAC layer security
12
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10Quick and dirty Security Methods:
Closed Mode of Operation
Hide SSID All devices in a WLAN have to have same SSID to communicate
SSID is not released Beacon messages are removed Client has to know exact SSID to connect
Make active scanning, send probe request
13
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacking to 802.11 Closed Mode
Impersonate AP
Client Connection
Disassociate
Client sends Probe Request which includes SSID in clear
Capture Probe Request Packets for SSID information
Client AP
14
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Man-in-the-middle Attack
Wired Network
Client
AP
Access Point
ApplicationServer
Impersonate AP to the client
Impersonate Client to the AP
15
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Quick and dirty 802.11 Security Methods
SSID Closed mode MAC layer security
16
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10Quick and dirty security Methods: MAC Layer
Security Based on MAC addresses MAC filters
Allow associate of a MAC Deny associate of a MAC
Wired Network
MAC: 00:05:30:BB:CC:EE
MAC: 00:05:30:AA:AA:AA
?
17
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Bypass MAC Filters: MAC Spoofing
Wired Network
Legitimate Client
AP
Access Point Application Server
Association Request
802.11
Association ResponseAccess to Network
Disassociate
Set MAC address of Legitimate Client by using SMAC or variants 2
Association RequestAssociation Response
Access to Network
34
5
1
Monitor
Authentication RespondAuthentication Request
Probe RespondProbe Request
18
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Rouge AP
Install fake AP and web server software Convince wireless client to:
Disassociate from legitimate AP Associate to fake AP
Bring similar web application to user to collect passwords Adversarial tools:
Any web server running on Unix or MS environments Fake AP (http://www.blackalchemy.to/project/fakeap/)
Run fake • AP software• Web Server
Wired NetworkAPApplication Server:i.e. Web Server
Reconnect to louder AP
19
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 IEEE 802.11i: Introducción
Las redes inalámbricas 802.11 siguen teniendo la fama de inseguras
Desde el año 2004 se cuenta con el estándar 802.11i, que proporciona una alta seguridad a este tipo de redes no hay descrito ningún ataque efectivo sobre WPA2 en modo
infraestructura (correctamente configurado) WEP dejó de ser una opción a partir del año 2001
¡pero seguimos burlándonos de él! ya no forma parte del estándar 802.11 (su uso está desaprobado por el
añadido 802.11i La tecnología actual permite redes Wi-Fi seguras
20
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Cronología de la seguridad en 802.11
1997 1999 2001 2003 2004802.11
802.11a
802.11b 802.11g 802.11i
Wi-Fi WPA WPA2
WEP
21
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 ¿En qué falló WEP?
utiliza una única clave secreta para todo: autenticación, confidencialidad
y se usa en todos los dispositivos y durante todo el tiempo la gestión de las claves es manual la autenticación es sólo para el dispositivo cliente
no se autentica al usuario, ni se autentica la red el IV es demasiado pequeño y la forma de usarlo debilita el
protocolo la integridad no funciona (CRC no es un buen código)
y no incluye las direcciones fuente y destino
22
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 ¿Qué podemos hacer?
No intentar resolverlo todo de una Buscar los protocolos adecuados para cada funcionalidad Permitir la gestión automática de las claves de cifrado Cambiar frecuentemente las claves, obteniéndolas
automáticamente Autenticar al usuario, no al dispositivo Autenticar a la red (también hay redes ‘malas’) Utilizar protocolos robustos de autenticación, integridad y
confidencialidad
23
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Primera aproximación: 802.1X Control de acceso basado en el
puerto de red: una vez autenticada y asociada
una estación, no se le da acceso a la red hasta que no se autentique correctamente el usuario
Componentes: suplicante, autenticadory servidor de autenticación
Utiliza EAP como marco de autenticación EAP permite el uso de distintos
protocolosde autenticación: MD5, MS-CHAPv2, …
La utilización de un método criptográfico en la autenticación permite generar claves secretas también se pueden distribuir de
manera segura
24
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Métodos EAP (1)
Los métodos EAP en redes Wi-Fi han de cumplir: protección de las credenciales de usuario autenticación mutua usuario red derivación de claves
Solución: emplear un túnel TLS el servidor se autentica con certificado digital las credenciales viajan protegidas TLS genera una clave maestra
¿Qué servidor autentica? RADIUS trabaja con distintas Bases de Datos de usuario permite la escalabilidad mediante una jerarquía de servidores (en árbol)
25
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Métodos EAP (2)
Los más habituales en Wi-Fi: EAP-TLS
se utilizan certificados digitales en ambos extremos EAP-TTLS (Tunneled TLS)
en una primera fase se establece un túnel TLS a partir del certificado digital del servidoren la segunda fase se utiliza cualquier otro método de autenticación (protegido por el túnel). Ej.: PAP, MD5, …
EAP-PEAP (Protected EAP)equivalente a TTLS, pero sólo emplea métodos EAP para la segunda fase: TLS, MS-CHAP-V2, …
Si se emplean dos fases: identidad anónima en la autenticación externa (dominio) identidad real en la autenticación interna
26
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 El servicio RADIUS
Permite autenticar a los usuarios que establecen conexiones remotas u 802.1X
Es capaz de trabajar con distintos repositorios de cuentas de usuario el Directorio Activo de Windows, LDAP, ficheros, …
Si el usuario no pertenece a su dominio lanza la petición a su ‘padre’ en la jerarquía RADIUS en los métodos que utilizan dos fases se emplea la identidad externa
para redirigir la petición Los canales cifrados (túneles TLS) se establecen entre el
suplicante y el RADIUS final que atiende la petición
27
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Jerarquía RADIUS28
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Primera solución: WPA
Mientras en el IEEE se trabaja en el nuevo estándar 802.11i, las debilidades de WEP exigen protocolos de cifrado en niveles superiores a la capa de enlace
La industria es reacia a adoptar las redes 802.11 El consorcio Wi-Fi Alliance decide sacar el estándar comercial
WPA (Wi-Fi Protected Access) Se basa en un borrador del estándar 802.11i y es un
subconjunto del mismo compatible hacia delante
Soluciona todos los problemas que plantea WEP con medidas válidas a medio plazo
29
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 La confidencialidad en WPA: TKIP
TKIP (Temporal Key Integrity Protocol) es el protocolo de cifrado diseñado para sustituir a WEP reutilizando el hardware existente
Forma parte del estándar 802.11i aunque se considera un protocolo ‘a desaprobar’
Entre sus características: utiliza claves maestras de las que se derivan las claves el IV se incrementa considerablemente (de 24 a 48 bits) cada trama tiene su propia clave RC4 impide las retransmisiones de tramas antiguas comprueba la integridad con el algoritmo Michael
no ofrece la máxima seguridad, pero incorpora contramedidas ante los ataques (desconexión 60 s y generación de claves)
30
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 ¿Cómo se configura WPA?
Autenticación 802.11 abierta Autenticación 802.1X (en modo infraestructura) Métodos EAP con túnel TLS
identidad externa anónima, si es posible Restricción de los servidores RADIUS aceptados Cifrado: TKIP ¿Y si estamos en un entorno SOHO?
no hay servidores RADIUS no podemos autenticar al usuario como hasta ahora no podemos generar la clave maestra utilizamos una clave pre-compartida entre todos ¡!
31
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 La solución definitiva: 802.11i = WPA2
El protocolo CCMP ofrece el cifrado (mediante AES) y la protección de integridad se considera el algoritmo de cifrado más seguro hoy en día (no se ha
ideado ningún ataque contra el mismo) necesita soporte hardware para no penalizar aunque se han incorporado mejoras en el diseño para hacerlo más
eficiente Se establece el concepto RSN: Robust Security Networks
aquellas en las que todas las asociaciones entre dos dispositivos son de tipo RSNA intercambio de claves con un 4-Way Handshake
32
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Asociaciones de tipo RSNA
Una vez que el usuario se ha autenticado ante el RADIUS, ambos han generado una clave maestra
El RADIUS le proporciona esta clave al AP El punto de acceso y el cliente realizan un diálogo (con 4
mensajes) en el que: comprueban que el otro tiene en su poder la clave maestra sincronizan la instalación de claves temporales confirman la selección de los protocolos criptográficos
Las claves temporales son de dos tipos: para el tráfico unicast (estación AP) para el tráfico multicast y broadcast (AP estaciones)
33
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 ¿Cómo se configura WPA2?
Autenticación 802.11 abierta Autenticación 802.1X (en modo infraestructura) Métodos EAP con túnel TLS
identidad externa anónima, si es posible Restricción de los servidores RADIUS aceptados Cifrado: AES ¿Y si estamos en un entorno SOHO?
utilizamos una clave pre-compartida entre todos esta clave sirve de autenticación esta es la clave maestra a partir de la que generar el resto
LA PALABRA DE PASO HA DE TENER MÁS DE 20 CARACTERES
34
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 WPA y WPA2
WPA puede ejecutarse con todo el hardware que soportase WEP (sólo necesita una actualización de firmware)
WPA2 necesita hardware reciente (2004 ) WPA acabará siendo comprometido a medio plazo y sólo se
recomienda como transición a WPA2
Algunos AP permiten emplear un modo mixto que acepta tanto clientes WPA como clientes WPA2 en la misma celda hay una pequeña degradación en las claves de grupo(este modo nos ha dado problemas con algunas PDA)
35
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Pre-autenticación 802.1X
El proceso de establecer la asociación y generar las claves es costoso y puede afectar a la movilidad
La pre-autenticación consiste en establecer el contexto de seguridad con un AP mientras se está asociado a otro
El tráfico entre la estación y el nuevo AP viaja por la red cableada
Cuando, finalmente, se produce el roaming, el cliente indica que ya está hecha la asociación inicial
Sólo disponible en WPA2 (excluido en WPA)
36
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Soporte 802.11i en los S. Operativos
Windows Mobile ¡Cada PDA es un mundo! Incluye el suplicante 802.1X Soporta sólo WPA (cifrado TKIP) métodos EAP: EAP-TLS y EAP-PEAP/MS-CHAP-V2
Windows XP SP2 Incluye el suplicante 802.1X Soporta WPA (de fábrica). Se puede aplicar la actualización a WPA2 (si la
tarjeta lo soporta)esta actualización no se aplica a través de Windows Update
métodos EAP: EAP-TLS y EAP-PEAP/MS-CHAP-V2 permite restringir los servidores RADIUS aceptados almacena en caché las credenciales del usuario ¡siempre!
37
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Soporte 802.11i en los S. Operativos
Windows Vista Incluye el suplicante 802.1X Soporta WPA y WPA2 métodos EAP: EAP-TLS y EAP-PEAP/MS-CHAP-V2 incorpora una API (EAPHost) que permite desarrollar nuevos suplicantes
y nuevos métodos EAP permite restringir los servidores RADIUS aceptados permite elegir si se almacenan o no, en caché, las credenciales del
usuario Permite definir perfiles de conexión para configurar las redes
inalámbricas sin la intervención del usuario incluso con opciones que no podrá modificar
Informa de la seguridad de las redes disponibles
38
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Soporte 802.11i en los S. Operativos
Linux Dependiendo de la distribución puede incluir o no el suplicante 802.1X Se recomienda utilizar wpa-supplicant y Network Manager para la
configuración Soporta WPA y WPA2 admite la mayoría de métodos EAP: EAP-TLS, EAP-TTLS/PAP,
EAP-PEAP/MS-CHAP-V2, … permite restringir los servidores RADIUS aceptados permite elegir si se almacenan o no, en caché, las credenciales del
usuario la configuración puede ser a través de ficheros o mediante la interfaz
gráfica
39
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 eduroam
Es una iniciativa a nivel internacional que permite la movilidad de sus miembros de manera ‘transparente’ con la misma configuración de la red inalámbrica se puede conectar un
usuario en cualquier institución adherida a eduroam la autenticación del usuario la hace siempre la institución de origen (con
seguridad en el tránsito de credenciales) es sencillo detectar si tenemos soporte para eduroam: el SSID es
eduroam Más información:
http://www.eduroam.es, http://eduroam.upv.es
Atención: el cifrado puede ser distinto en cada red
40
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 eduroam en Europa41
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 La red inalámbrica en la UPV
http://wifi.upv.es
42
REDES INALÁMBRICAS Máster de Ingeniería de Computadores-DISCA
Redes Inalámbricas – Tema 6. Seguridad
La tecnología 802.11: WEP y el estándar 802.11i
Seguridad en MANET
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Routing security vulnerabilities
Wireless medium is easy to snoop on Due to ad hoc connectivity and mobility, it is hard to
guarantee access to any particular node (for instance, to obtain a secret key)
Easier for trouble-makers to insert themselves into a mobile ad hoc network (as compared to a wired network)
Open medium Dynamic topology Distributed cooperation
(absence of central authorities) Constrained capability
(energy)
44
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Securing Ad Hoc Networks
Definition of “Attack” RFC 2828 — Internet Security Glossary : “ An assault on system security that derives from an intelligent threat,
i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of the system.”
Goals Availability: ensure survivability of the network despite denial of service
attacks. The DoS can be targeted at any layer Confidentiality: ensures that certain information is not disclosed to
unauthorized entities. Eg Routing information information should not be leaked out because it can help to identify and locate the targets
Integrity: guarantee that a message being transferred is never corrupted.
Authentication: enables a node to ensure the identity of the nodes communicating.
Non-Repudiation: ensures that the origin of the message cannot deny having sent the message
45
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Routing attacks
Classification: External attack vs. Internal attack
External: Intruder nodes can pose to be a part of the network injecting erroneous routes, replaying old information or introduce excessive traffic to partition the network
Internal: The nodes themselves could be compromised. Detection of such nodes is difficult since compromised nodes can generate valid signatures.
Passive attack vs. Active attack Passive attack: “Attempts to learn or make use of information from the
system but does not affect system resources” (RFC 2828) Active attack: “Attempts to alter system resources or affect their
operation” (RFC 2828)
46
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Normal Flow
Information source
Information destination
47
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Passive Attacks
Sniffer
Passive attacks
Interception (confidentiality)
Release of message contents Traffic analysis
48
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Sniffers
All machines on a network can “hear” ongoing traffic A machine will respond only to data addressed specifically to
it Network interface: “promiscuous mode” – able to capture all
frames transmitted on the local area network segment Risks of Sniffers:
Serious security threat Capture confidential information
Authentication informationPrivate data
Capture network traffic information
49
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Information source
Information destination
Unauthorized party gains access to the asset – ConfidentialityExample: wiretapping, unauthorized copying of files
Interception50
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Passive attacks
Release of message contents Intruder is able to interpret and extract information being transmitted Highest risk: authentication information
Can be used to compromise additional system resources
Traffic analysis Intruder is not able to interpret and extract the transmitted
information Intruder is able to derive (infer) information from the traffic
characteristics
51
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Protection against passive attacks Shield confidential data from sniffers: cryptography Disturb traffic pattern:
Traffic padding Onion routing
Modern switch technology: network traffic is directed to the destination interfaces
Detect and eliminate sniffers
52
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Active attacks
Active attacks
Interruption Modification Fabrication(availability) (integrity) (integrity)
53
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Information source
Information destination
Asset is destroyed or becomes unavailable - AvailabilityExample: destruction of hardware, cutting communicationline, disabling file management system, etc.
Interruption54
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Denial of service attack
Adversary floods irrelevant data Consume network bandwidth Consume resource of a particular node E-mail bombing attack: floods victim’s mail with large bogus
messages Popular Free tools available
Smurf attack: Attacker multicast or broadcast an Internet Control Message Protocol
(ICMP) with spoofed IP address of the victim system Each receiving system sends a respond to the victim Victim’s system is flooded
55
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 TCP SYN flooding
Server: limited number of allowed half-open connections Backlog queue:
Existing half-open connections Full: no new connections can be established Time-out, reset
Attack: Attacker: send SYN requests to server with IP source that unable to
response to SYN-ACK Server’s backlog queue filled No new connections can be established Keep sending SYN requests
Does not affect Existing or open incoming connections Outgoing connections
56
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Protection against DoS, DDoS
Hard to provide full protection Some of the attacks can be prevented
Filter out incoming traffic with local IP address as source Avoid established state until confirmation of client’s identity
Internet trace back: determine the source of an attack
57
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Information source
Information destination
Unauthorized party tampers with the asset – IntegrityExample: changing values of data, altering programs, modify content of a message, etc.
Modification58
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using modification
Attacks using modification Idea:
Malicious node announces better routes than the other nodes in order to be inserted in the ad-hoc network
How ? Redirection by changing the route sequence number Redirection with modified hop count Denial Of Service (DOS) attacks Modify the protocol fields of control messages Compromise the integrity of routing computation Cause network traffic to be dropped, redirected to a different destination
or take a longer route
59
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using modification
Node A Node B Node D
Node C
Intruder
Metric 1 and 3 hops
Metric 1 and 1 hop
Redirection with modified hop count: - The node C announces to B a path with a metric value of one - The intruder announces to B a path with a metric value of one too - B decides which path is the best by looking into the hop count value of each route
60
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using modification
Denial Of Service (DOS) attacks with modified source routes: A malicious node is inserted in the network The malicious node changes packet headers it receives The packets will not reach the destination: The transmission is aborted
Node A Node B Node DNode CIntruder I
Intruder I decapsulates packets, change the header:
A-B-I-C-E
Node A sends packets with header: (route cache to reach node E)
A-B-I-C-D-E
Node C has no direct route with E, also the packets are dropped
Node E
61
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Information source
Information destination
Unauthorized party insets counterfeit object into the system – AuthenticityExample: insertion of offending messages, addition of records to a file, etc.
Fabrication62
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using fabrication
Attacks using fabrication Idea:
Generates traffic to disturb the good operation of an ad-hoc network How ?
Falsifying route error messages
Corrupting routing state Routing table overflow attack Replay attack Black hole attack
63
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using fabrication
Falsifying route error messages: When a node moves, the closest node sends “error” message to the
others A malicious node can usurp the identity of another node (e.g. By using
spoofing) and sends error messages to the others The other nodes update their routing tables with these bad information The “victim” node is isolated
64
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using fabrication
Corrupting routing state: In DSR, routes can be learned from promiscuously received packets A node should add the routing information contained in each packet’s
header it overhears A hacker can easily broadcast a message with a spoofed IP address
such as the other nodes add this new route to reach a special node S It’s the malicious node which will receive the packets intended to S.
65
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using fabrication
Routing table overflow attack: Available in “pro-active” protocols. These protocols try to find routing information before they are needed A hacker can send in the network a lot of route to non-existent nodes
until overwhelm the protocol
66
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using fabrication
Replay attack: A hacker sends old advertisements to a node The node updates its routing table with stale routes
Black hole attack: A hacker advertises a zero metric route for all destinations All the nodes around it will route packets towards it
67
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using impersonation
Attacks using impersonation Idea :
Usurpates the identity of another node to perform changes How ?
Spoofing MAC address of other nodes
68
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using impersonation
Forming loops by spoofing MAC address: A malicious node M can listen all the nodes when the others nodes can
only listen their closest neighbors Node M first changes its MAC address to the MAC address of the node A Node M moves closer to node B than node A is, and stays out of range of
node A Node M announces node B a shorter path to reach X than the node D
gives
A
B
C
D E X
M
69
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using impersonation
Forming loops by spoofing MAC address: Node B changes its path to reach X Packets will be sent first to node A Node M moves closer to node D than node B is, and stays out of range
of node B Node M announces node D a shorter path to reach X than the node E
gives
A
B
C
D E XM
70
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Attacks using impersonation
Forming loops by spoofing MAC address: Node D changes its path to reach X Packets will be sent first to node B X is now unreachable because of the loop formed
A
B
C
D E XM
71
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Other Routing attacks Attacks for routing:
Wormhole attack (tunneling) Invisible node attack The Sybil attack Rushing attack Non-cooperation
72
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Wormhole attack
Colluding attackers uses “tunnels” between them to forward packets
Place the attacker in a very powerful position The attackers take control of the route by claiming a shorter
path
A
M
B
C
N
D
S
tunnel
……..….
73
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Invisible node attack
Attack on DSR Malicious does not append its IP address M becomes “invisible” on the path
CMBS D
74
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 The Sybil attack
Represents multiple identities Disrupt geographic and multi-path routing
M1
B
M4
M5M2
M3
75
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Rushing attack
Directed against on-demand routing protocols The attacker hurries route request packet to the next node to
increase the probability of being included in a route
76
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Non-cooperation Node lack of cooperation, not participate in routing or packet
forwarding Node selfishness, save energy for itself
77
REDES INALÁMBRICAS Máster de Ingeniería de Computadores-DISCA
Redes Inalámbricas – Tema 6. Seguridad
La tecnología 802.11: WEP y el estándar 802.11i
Seguridad en MANET Algunas soluciones
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 TESLA Overview
Broadcast authentication protocol used here for authenticating routing messages Efficient and adds only a single message authentication code (MAC) to a
message Requires asymmetric primitive to prevent others from forging MAC
TESLA achieves asymmetry through clock synchronization and delayed key disclosure
79
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 TESLA Overview (cont.)1. Each sender splits the time into intervals2. It then chooses random initial key (KN)3. Generates one-way key chain through repeated use of a one-way
hash function (generating one key per time interval)KN-1=H[KN], KN-2=H[KN-1]…
These keys are used in reverse order of generation4. The sender discloses the keys based on the time intervals
80
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 TESLA Overview (cont.)
Sender attaches MAC to each packet Computed over the packet’s contents Sender determines time interval and uses corresponding value from
one-way key chain With the packet, the sender also sends the most recent disclosable one-
way chain value Receiver knows the key disclosing schedule
Checks that the key used to compute the MAC is still secret by determining that the sender could not have disclosed it yet
As long as the key is still secret, the receiver buffers the packet When the key is disclosed, receiver checks its correctness
(through self-authentication) and authenticates the buffered packets
81
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Assumptions Of the network
Network links are bidirectional The network may drop, corrupt, reorder or duplicate packets Each node must be able to estimate the end-to-end transmission time to
any other node in the network Disregard physical attacks and Medium Access Control attacks
Of the nodes Resources of nodes may vary greatly, so Ariadne assumes constrained
nodes All nodes have loosely synchronized clocks
82
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Security Assumptions
Three authentication mechanism possibilities: Pairwise secret keys (requires n(n+1)/2 keys) TESLA (shared keys between all source-destination pairs) Digital signatures (requires powerful nodes)
83
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Key Setup Shared secret keys
Key distribution center Bootstrapping from a Public Key Infrastructure Pre-loading at initialization
Initial TESLA keys Embed at initialization Assume PKI and embed Certifications Authority’s public key at each node
84
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Ariadne Overview Authenticate routing messages using one of:
Shared secrets between each pair of nodesAvoids need for synchronization
Shared secrets between communicating nodes combined with broadcast authentication
Requires loose time synchronizationAllows additional protocol optimizations
Digital signatures
85
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Ariadne Notation
A and B are principals (e.g., communicating nodes) KAB and KBA are secret MAC keys shared between A and B MACKAB(M) is computation of MAC of message M using key KAB
86
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Discovery
Assume sender and receiver share secret (non-TESLA) keys for message authentication
Target authenticates ROUTE REQUESTS Initiator includes a MAC computed with end-to-end key Target verifies authenticity and freshness of request using shared key
Data authentication using TESLA keys Each hop authenticates new information in the REQUEST Target buffers REPLY until intermediate nodes release TESLA keys
TESLA security condition is verified at the targetTarget includes a MAC in the REPLY to certify the condition was met
Attacker can remove a node from node list in a REQUEST One-way hash functions verify that no hop was omitted (per-
hop hashing)
87
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Discovery (cont.) Assume all nodes know an authentic key of the TESLA one-way key
chain of every other node Securing ROUTE REQUEST
Target can authenticate the sender (using their additional shared key) Initiator can authenticate each path entry using intermediate TESLA keys No intermediate node can remove any other node in the REQUEST or REPLY
88
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Discovery (cont.)
Upon receiving ROUTE REQUEST, a node: Processes the request only if it is new Processes the request only if the time interval is valid (not too far in the
future, but not for an already disclosed TESLA key) Modifies the request and rebroadcasts it
Appends its address to the node list, replaces the hash chain with H[A, hash chain], appends MAC of entire REQUEST to MAC list using KAi where i is the index for the time interval specified in the REQUEST
89
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Discovery (cont.)
When the target receives the route request: Checks the validity of the REQUEST (determining that the keys from the
time interval have not been disclosed yet and that hash chain is correct) Returns ROUTE REPLY containing eight fields
ROUTE REPLY, target, initiator, time interval, node list, MAC listtarget MAC: MAC computed over above fields with key shared
between target and initiatorkey list: disclosable MAC keys of nodes along the path
90
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Discovery (cont.)
Node forwarding ROUTE REPLY Waits until it can disclose TESLA key from specified interval
Appends that key to the key listThis waiting does delay the return of the ROUTE REPLY but does not
consume extra computational power
91
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Discovery (cont.)
When initiator receives ROUTE REPLY Verifies each key in the key list is valid Verifies that the target MAC is valid Verifies that each MAC in the MAC list is valid using the TESLA keys
92
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Maintenance
Based on DSR Node forwarding a packet to the next hop returns a ROUTE ERROR to the
original sender Prevent unauthorized nodes from sending errors, we require
errors to be authenticated by the sender
93
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Route Maintenance Errors are propagated just as regular data packets
Intermediate nodes remove routes that use the bad link Sending node continues to send data packets along the route
until error is validated Generates additional errors, which are all cleaned up when the error is
finally validated
94
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Anonymous Communication
Sometimes security requirement may include anonymity
Availability of an authentic key is not enough to prevent traffic analysis
We may want to hide the source or the destination of a packet, or simply the amount of traffic between a given pair of nodes
95
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Traffic Analysis
Traditional approaches for anonymous communication, for instance, based on MIX nodes or dummy traffic insertion, can be used in wireless ad hoc networks as well
However, it is possible to develop new approaches considering the broadcast nature of the wireless channel
96
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Nodes
Mix nodes can reorder packets from different flows, insert dummy packets, or delay packets, to reduce correlation between packets in and packets out
M1 B M2 E
A
M3C
DG
F
97
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Nodes
Node A wants to send message M to node G. Node A chooses 2 Mix nodes (in general n mix nodes), say, M1 and M2
M1 B M2 E
A
M3C
DG
F
98
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Nodes
Node A transmits to M1message K1(R1, K2(R2, M)) where Ki() denotes encryption using public key Ki of Mix i, and Ri is a random number
M1 B M2 E
A
M3C
DG
F
99
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Nodes
M1 recovers K2(R2,M) and send to M2
M1 B M2 E
A
M3C
DG
F
100
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Nodes
M2 recovers M and sends to G
M1 B M2 E
A
M3C
DG
F
101
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Nodes
If M is encrypted by a secret key, no one other than G or A can know M
Since M1 and M2 “mix” traffic, observers cannot determine the source-destination pair without compromising M1 and M2 both
102
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10
Alternative Mix Nodes
Suppose A uses M2 and M3 (not M1 and M2) Need to take fewer hops
Choice of mix nodes affects overhead
M1 B M2 E
A
M3C
DG
F
103
RED
ES IN
ALÁ
MB
RIC
AS
MIC
200
9/20
10 Mix Node Selection
Intelligent selection of mix nodes can reduce overhead
With mobility, the choice of mix nodes may have to be modified to reduce cost
However, change of mix selection has the potential for divulging more information
104
