Wireless Networked Systems

Transcription

1 Wireless Networked Systems CS 795/895 - Spring 2013 Lec #5: Medium Access Control High Throughput, Security Tamer Nadeem Dept. of Computer Science

2 High Throughput Networks (802.11n) Slides adapted from Wireless Networking, J. Bernardini Page 2 Spring 2013 CS 795/895 - Wireless Networked Systems

3 802.11n Overview n Enhancements PHY new features MAC new features Page 3 Spring 2013 CS 795/895 - Wireless Networked Systems

4 802.11n PHY Enhancements Page 4 Spring 2013 CS 795/895 - Wireless Networked Systems

5 PHY Key Features MIMO Technology o Enable 2x2 MIMO operation in 20 MHz => 100 Mbps o Up to 4x4 MIMO => 200 Mbps HT Channel Technology o Bandwidth extension option: Using double channel (40 MHz) to achieve higher data rate Page 5 Spring 2013 CS 795/895 - Wireless Networked Systems

6 MIMO - Overview Page 6 Spring 2013 CS 795/895 - Wireless Networked Systems

7 MIMO - Overview Page 7 Spring 2013 CS 795/895 - Wireless Networked Systems

8 MIMO - Multiple-input Multiple-output Ø Mapping of a data stream to multiple parallel data streams and demapping multiple received data streams into a single data stream Ø Sending signals on multiple Tx antenna at the same carrier frequency o Transmitting independent streams of data Space Division Multiplexing (SDM) => increases throughput o Beamforming technology/coding across the antenna Space-Time Coding (STC) => increase range / robustness Transmitter x Receiver MIMO Tx Rx MIMO 2 3 2x x x4 Page 8 Spring 2013 CS 795/895 - Wireless Networked Systems

9 MIMO Multiple Data Streams Page 9 Spring 2013 CS 795/895 - Wireless Networked Systems

10 Antenna Beamforming and Diversity Beamforming (beam steering) employs two transmit antennas to deliver the best multipath signal Diversity (receive combining) uses two receive antennas to capture the best multipath signal MIMO uses multiple transmitters, receivers and antennas to send multiple signals over the same channel, multiplying spectral efficiency. Page 10 Spring 2013 CS 795/895 - Wireless Networked Systems

11 Transmit Beamforming (TxBF) n optional feature Multiple transmitter antennas focus the signal to a receiver Used by radar; phased-array antenna systems Transmitter is the beamformer Receiver is the beamformee Maximum transmission range, fixed power/antenna Std n Feedback from the beamformee allows the beamformer to adjust the antennas (steering matrix) and signal to improve SNR Four forms of TxBF: one implicit method and three explicit methods. Tx Rx Page 11 Spring 2013 CS 795/895 - Wireless Networked Systems

12 Transmit Beamforming (TxBF) Implicit TxBF: o The steering matrix is created by the transmitter o Radio calibration is required by the transmitter to calibrate the difference between its transmit and receive chains. o Radio calibration is achieved using feedback from the receiver. Explicit TxBF: o The receiver make a direct channel estimate and sending this feedback to the transmitter. o The steering matrix can be calculated by either the transmitter or receiver. o Three types of feedback: ² Channel state information: the receiver sends channel information to the transmitter to compute the steering matrix ² Non-compressed beamforming: the receiver calculates and sends the steering matrix to the transmitter ² Compressed beamforming: the receiver sends a compressed steering matrix to the transmitter Page 12 Spring 2013 CS 795/895 - Wireless Networked Systems

13 Beamforming Calibration a) STA A initiates the frame exchange sequence by sending an unsteered PPDU to STA B. The PPDU includes a training request (TRQ= 1) in a +HTC MPDU. b) STA B sends a sounding PPDU in response to the training request from STA A. c) On receiving the sounding PPDU, STA A uses the resulting channel estimate to compute steering matrices, and uses these to send a steered PPDU back to STA B. Page 13 Spring 2013 CS 795/895 - Wireless Networked Systems

14 MIMO Advantage Page 14 Spring 2013 CS 795/895 - Wireless Networked Systems

15 802.11n HT Channel Technology n uses OFDM (just as ag) n has option to use 20 MHz and 40 MHz channels n can use can combine channels for Channel Bonding n can use variable Guard Interval (GI) n can use various Modulation and Coding Schemes (MCS) Page 15 Spring 2013 CS 795/895 - Wireless Networked Systems

16 Non-HT and HT Channels a/g use 20 MHz OFDM channels, each of 52 subcarriers 48-subcarriers transmit data 4-subcarriers transmit pilot tones for calibrations n can use either 20 MHz or 40 MHz channels Each HT 20 MHz channel has 56 subcarriers 52-subcarriers transmit data 4-subcarriers transmit pilot tones for transmitter-receiver calibrations Each HT 40 MHz channel has 114 subcarriers 108-subcarriers transmit data 6-subcarriers transmit pilot tones for transmitter-receiver calibrations Page 16 Spring 2013 CS 795/895 - Wireless Networked Systems

17 Channel Bonding 40 MHz channels are formed by bonding two 20MHz channels When bonding two channels there no need for a guard band 5 GHz UNNI band allows twenty three 20 MHz channels to be bonded 2.4 GHz ISM band allows only one bonding of two 20 MHz channels (only 3 nonoverlapping channels) Page 17 Spring 2013 CS 795/895 - Wireless Networked Systems

18 Guard Interval (GI) Digital Symbol is a collection of bits If the bits overlap Inter-symbol Interference (ISI) is experienced ag uses a 800 ns guard interval between symbols n can use a 800 ns or 400 ns guard interval between symbols 400 ns GI improves throughput by 10% The 400 ns GI should only be used in a good RF environment Page 18 Spring 2013 CS 795/895 - Wireless Networked Systems

19 Modulation and Coding Schemes (MCS) n defines data rates as Modulation and Coding Schemes (MCS) MCS are based upon Modulation technique (BPSK, QPSK, 16-QAM, 64-QAM) Spatial streams (1, 4) Channel size (20 MHz, 40 MHz) Guard Interval (400 ns, 800 ns) n requires Eight mandatory 20 MHz MCSs Total of 78 MCSs Data rates vary from 6.5 Mbps to 600 Mbps Page 19 Spring 2013 CS 795/895 - Wireless Networked Systems

20 HT PHY and MPDU frame is a MAC Protocol Data Unit (MPDU) The payload is the MAC service Unit (MSDU) (layer 7-3 data) MPDU is made up of the header and body At the PHY layer is the Physical Layer Protocol Data Unit (PPDU) PPDU = MPDU + PHY preamble-header n defines three PHY preamble-headers Legacy format, HT Mixed, HT Greenfield CCRI J. Bernardini 20 Page 20 Spring 2013 CS 795/895 - Wireless Networked Systems

21 HT PPDU Formats Non-HT Legacy Mandatory for n Only 20 MHz channels Same format as ag HT Mixed Two part preamble First part can be decoded by ag Second part can not be decoded by ag HT Greenfield Preamble can not be decoded by ag Can use both 20 MHz and 40 MHz channels Page 21 Spring 2013 CS 795/895 - Wireless Networked Systems

22 802.11n MAC Enhancements Page 22 Spring 2013 CS 795/895 - Wireless Networked Systems

23 802.11n New MAC Features Frame Aggregation MSDU/PPDU RIFS: Reduced Inter-frame spacing Block ACK Protection Mechanisms Page 23 Spring 2013 CS 795/895 - Wireless Networked Systems

24 802.11n Frame Aggregation Motivation: Amortize PLCP & MAC overhead Page 24 Spring 2013 CS 795/895 - Wireless Networked Systems

25 802.11n Frame Aggregation A-MSDU Scheme: Multiple MSDUs are bundled to form a MPDU which could consist of multiple sub frames either from multiple sources or for multiple destinations. The PHY header, MAC header and FCS are appended to form PSDU. All MSDU are intended to be received by the same receiver. Sub frames have same sequence number and traffic identifier (TID) (priority). The maximum length of an A-MSDU frame can be 3839 or 7955 bytes Page 25 Spring 2013 CS 795/895 - Wireless Networked Systems

26 802.11n Frame Aggregation A-MPDU Scheme: Multiple MPDUs with a common PHY header are packed as an A-MPDU which can contain several MSDUs and/or A-MSDUs. Selective retransmission due to the presence of individual FCS for each MPDU All the MPDUs in an A-MPDU have same traffic identifier (TID). The maximum length size of an A-MPDU frame is 64 Kbytes. Page 26 Spring 2013 CS 795/895 - Wireless Networked Systems

27 802.11n Interframe Space Page 27 Spring 2013 CS 795/895 - Wireless Networked Systems

28 802.11n HTP Burst Trans. Page 28 Spring 2013 CS 795/895 - Wireless Networked Systems

29 802.11n Block ACK Page 29 Spring 2013 CS 795/895 - Wireless Networked Systems

30 802.11n Block ACK Immediate BlockACK Suitable for High-bandwidth, low latency traffic Delayed BlockACK Suitable for applications that tolerate moderate latency. Page 30 Spring 2013 CS 795/895 - Wireless Networked Systems

31 and n Comparison Page 31 Spring 2013 CS 795/895 - Wireless Networked Systems

32 Summary Page 32 Spring 2013 CS 795/895 - Wireless Networked Systems

33 Network Security Wireless Networking J. Bernardini Page 33 Spring 2013 CS 795/895 - Wireless Networked Systems

34 The Security Risk: RF Leakage Page 34 Spring 2013 CS 795/895 - Wireless Networked Systems

35 Infrastructure mode The association process Unauthenticated and unassociated Authenticated and unassociated Authenticated and associated " All access points transmit a beacon management frame at fixed interval. " A client listens for beacon to identify the access points, and selects the BSS to join. " The client and the access point perform a mutual authentication by exchanging several management frames (talk later) " The client sends an association request frame, and the access point responds with an association response frame. " The client can transmit data frames on the network. 35

36 WEP (Wired Equivalent Privacy) (encrypted traffic) The industry s solution: WEP (Wired Equivalent Privacy) Share a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data Page 36 Spring 2013 CS 795/895 - Wireless Networked Systems

37 RC4 and Stream Ciphers RC4 encryption is Vernam Cipher RC4 is a stream cipher Generates pseudo random keystream from the key( IV Key) Encryption key Plain text data byte Pseudo-random number generator Cipher text byte Page 37 Spring 2013 CS 795/895 - Wireless Networked Systems

38 WEP Protocol Mobile station shares key with Access Point Transmitting a message M - Compute checksum (CRC32) of M and append it to M - Generate keystream using RC4(IV,Key) - Xor <M,C(M)> with keystream - Transmit IV and cipher text Upon receiving Reverse steps IV original unencrypted packet checksum key RC4 IV encrypted packet 24 bits Page 38 Spring 2013 CS 795/895 - Wireless Networked Systems

39 A Property of RC4 Keystream leaks, under known-plaintext attack Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P Let Z = RC4(K, IV) be the RC4 keystream Since C = P Z, we can derive the RC4 keystream Z by P C = P (P Z) = Z This is not a problem... unless keystream is reused! If IV s repeat, confidentiality is at risk If we send two ciphertexts (C, C ) using the same IV, then the xor of plaintexts leaks (P P = C C ), which might reveal both plaintexts If there is redundancy, this may reveal both plaintexts Or, if we can guess one plaintext, the other is leaked Lesson: If RC4 isn t used carefully, it becomes insecure Page 39 Spring 2013 CS 795/895 - Wireless Networked Systems

40 Attack #1: Keystream Reuse WEP didn t use RC4 carefully The problem: IV s frequently repeat The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV s, so after intercepting enough packets, there are sure to be repeats Attackers can eavesdrop on traffic An eavesdropper can decrypt intercepted ciphertexts even without knowing the key Some implemented IV selection strategies: Random: Collision probability P n two packets will share same IV after n packets is P 2 = 1/2 24 for n = 2 and P n = P n 1 +(n 1)(1 P n 1 )/ 2 24 for n > 2. o 50% chance of a collision exists already after only 4823 packets!!! Page 40 Spring 2013 CS 795/895 - Wireless Networked Systems

41 How to get plaintext? IP traffic predictable - well defined structures and message content Login sequences and Welcome messages Sniffing Authentication challenge - plain and cipher text both Sending packets from outside - ping Broadcast packets in both encrypted and unencrypted form - for some implementations Page 41 Spring 2013 CS 795/895 - Wireless Networked Systems

42 Attack from both ends Internet Attacker sends data Attacker AP MS AP encrypts plaintext data Attacker Page 42 Spring 2013 CS 795/895 - Wireless Networked Systems

43 Attack #2: Spoofed Packets Attackers can inject forged traffic Learn RC4(K, IV) using previous attack Since the checksum is unkeyed, you can then create valid ciphertexts that will be accepted by the receiver Attackers can bypass access control All computers attached to wireless net are exposed Forgery Attack Recv-Addr, Src-Addr, Dest-Addr are all unprotected On packets from a STA to the AP, corrupt the Dest-Addr The AP will decrypt data and send it to the forged destination Page 43 Spring 2013 CS 795/895 - Wireless Networked Systems

44 Attack #3: Reaction Attacks P RC4(K) P RC4(K) 0x0101 ACK TCP ACKnowledgement appears TCP checksum on received (modified) packet is valid P & 0x0101 has exactly 1 bit set Attacker can recover plaintext (P) without breaking RC4 Page 44 Spring 2013 CS 795/895 - Wireless Networked Systems

45 Standard Security Mechanisms and Wired Equivalent Privacy (WEP) protocol Key Management Authentication Mechanisms Open System Authentication Shared Key Authentication Access Control Mechanism Closed Network Access Control Access Control Lists 45 Page 45 Spring 2013 CS 795/895 - Wireless Networked Systems

46 Shared Key Authentication Authentication Spoofing 1. Eavesdropping P and C 2. WEP_K_IV_PR = P XOR C size of the stream=size of the authentication frame 3. Send Request to the Access Point, get challenge R 4. CR = WEP_K_IV_PR XOR R and new CRC 5. Follow steps, setup authentication 46 Page 46 Spring 2013 CS 795/895 - Wireless Networked Systems

47 Robust Security Network (RSN) i defines a set of features to establish a RSN association (RSNA) between stations (STAs) Enhanced data encapsulation mechanism CCMP Optional: TKIP Key management and establishment Four-way handshake and group-key handshake Enhanced authentication mechanism for STAs Pre-shared key (PSK); IEEE 802.1x/EAP methods Page 47 Spring 2013 CS 795/895 - Wireless Networked Systems

48 Page 48 Spring 2013 CS 795/895 - Wireless Networked Systems 48 Robust Security Network (RSN) Out of scope of i standard Wireless Station Access Point Authentication Server EAP-TLS EAP 802.1X (EAPoL) RADIUS UDP/IP

49 Robust Security Network (RSN) Operational phases Station Access Point Security Capabilities Discovery 802.1x authentication RADIUS/EAP Authentication Server 802.1x Key Management RADIUS-based Key Distribution Data Protection Page 49 Spring 2013 CS 795/895 - Wireless Networked Systems

50 Robust Security Network (RSN) Discovery message exchange Station Probe Request Access Point Probe Response + RSN IE Open System Auth Open System (success) Association Requst + RSN IE Association Response (success) Page 50 Spring 2013 CS 795/895 - Wireless Networked Systems

51 Robust Security Network (RSN) 802.1x Authentication Centralize network admission policy decisions at the AS Mutual authentication of STA and AS The AS and station derive a Master Key (MK) A Pairwise Master Key (PMK) is derived from MK The AS distributed PMK to the AP In PSK authentication, the authentication phase is skipped PMK = PSK Page 51 Spring 2013 CS 795/895 - Wireless Networked Systems

52 Robust Security Network (RSN) 802.1x key management Station Access Point Authentication Server Use RADIUS to push PMK from AS to AP Use PMK and 4-way Handshake To derive, bind, and verify PTK Use Group Key Handshake to send GTK from AP to station Page 52 Spring 2013 CS 795/895 - Wireless Networked Systems

53 Robust Security Network (RSN) 4-Way Handshake Station EAPoL-Key( ANonce ) Access Point PTK=EAPoL-PRF(PMK, ANonce SNonce AP MAC Addr STA MAC Addr) EAPoL-Key(SNonce, MIC, STA RSN IE) Install TK EAPoL-Key(ANonce, MIC, AP RSN IE, encrypted(gtk)) EAPoL-Key(Unicast, MIC) Derive PTK Install TK Page 53 Spring 2013 CS 795/895 - Wireless Networked Systems

54 Data Encapsulation: Temporal Key Integrity Protocol (TKIP) Optional IEEE802.11i protocol for data confidentiality and integrity TKIP is designed explicitly for implementation on WEP legacy hardware Designed as a wrapper around WEP Can be implemented in software Reuses existing WEP hardware Runs WEP as a sub-component TKIP three new features: A cryptographic message integrity code (MIC) A new IV sequencing discipline The transmitter increments the sequence number with each packet it sends A per-packet key mixing function Page 54 Spring 2013 CS 795/895 - Wireless Networked Systems

55 Temporal Key Integrity Protocol (TKIP) TKIP frame processing Temporal key Transmitter address TKIP sequence counter (TSC) MIC key Source & destination addresses, priority, and payload Phase 1 Key mixing TSC2-TSC5 MICHAEL TTAK Frame payload + MIC Phase 2 Key mixing TSC0-TSC1 TSC0-TSC5 Fragmentation (if required) WEP IV WEP secret key Clear text frames WEP Processing Encrypted and authenticated frames for transmission Page 55 Spring 2013 CS 795/895 - Wireless Networked Systems

56 Temporal Key Integrity Protocol (TKIP) TKIP encapsulation Encrypted MAC Header IV/Key ID Extended IV Data MIC WEP ICV FCS TSC1 WEP Seed TSC0 Rsvd Ext IV Key ID TSC2 TSC3 TSC4 TSC5 Page 56 Spring 2013 CS 795/895 - Wireless Networked Systems

57 Counter Mode with CBC-MAC (CCMP) Both encryption and MIC use AES Uses counter Mode (CTR) to encrypt the payload and MIC Uses CBC-MAC to compute a MIC on the plaintext header and the payload Both encryption and authentication use the same key Encryption Header Payload MIC Authenticated Page 57 Spring 2013 CS 795/895 - Wireless Networked Systems

58 Counter Mode with CBC-MAC (CCMP) CCMP data processing Plaintext frame MAC header Data Packet # Temporal key Key Id Additional authentication data A2 Create nonce CCMP header CCM encryption MAC header CCMP header Data MIC FCS Page 58 Spring 2013 CS 795/895 - Wireless Networked Systems

59 Questions Page 59 Spring 2013 CS 795/895 - Wireless Networked Systems