Link Security A Tutorial

Transcription

1 Link Security A Tutorial Fortress Technologies, Inc. Slide 1

2 Five basic security services Data confidentiality Data integrity Access control and access rights Authentication/Roaming Non-repudiation These services provide assurance against the security threats of unauthorized resource use, masquerade, unauthorized data disclosure, unauthorized data modification, and repudiation, respectively. Slide 2

3 Part 1: What is Link Level Security? We need to define what is link level security and why we need it? Slide 3

4 Link Layer Security? A method of securing a packet and its information above the MAC layer on a point-to-point connection: 1. hide the data contents and upper layer (above layer two) protocol information. 2. protect a packet from having its contents changed. 3. limit who or what is allowed to gain access to the overall network through the point-to-point connection. 4. limit denial of service attacks on a point-to-point segment. 5. eliminate denial of service attacks being perpetrated further in the network. Slide 4

5 Link Layer and Upper Layer IPSec/ SSL End-to-end Security Laptop Router Router Point to Point Security IEEE wlls MAC Layer and Upper Layer IPSec/ SSL Server IEEE End-to-end Security Laptop Point to Point Security Access Point Router Router Server WEP CCMP Slide 5

6 Why is it Needed? Many forms of data link technologies are vulnerable to compromise: WLAN WPAN (Bluetooth) Fixed Wireless Any Public Segment Two Rules of Thumb: It s the responsibility of the network provider that every link in the network is protected (i.e. Link Level Security). It s the responsibility of the user and application provider that the application is secure (i.e. SSL, IPSec, Application Security). Slide 6

7 Packet Layouts Regular Packet DLC Hdr IP Hdr TCP/ UDP Session Hdr Data Trl Encrypted Payload Session Security Protocol DLC Hdr IP Hdr TCP/ UDP Sec Hdr Sec Hdr Session Hdr Data Trl Trl Encrypted Payload IPSec DLC Hdr IP Hdr Sec Hdr Sec Hdr TCP/ UDP Session Hdr Data Trl Trl Encrypted Payload Link DLC Hdr Sec Hdr Sec Hdr IP Hdr TCP/ UDP Session Hdr Data Trl Trl Slide 7

8 Part 1 Conclusion Answered what link layer security is and why it is needed. Cannot view IP or other upper layer header information (such as IP addresses): With IP addresses exposed, hackers can easily compromise a network. ARP poisoning Denial-of-Service attacks can be launched if IP header information is not protected You can t fool with my packet and cause damage. If no end-to-end security protocol (like IPSec) is used, it will guarantee that, at least on that segment, no one will view or compromise by message. A hacker cannot attach to that segment to steal valuable network bandwidth. Control who enters and where they go. Slide 8

9 Part 2: The Mechanics What are the protocols, technologies and methods that make up link level security? Slide 9

10 Data confidentiality Encryption Key Management Data integrity Hashing Replay Protection Access Control/Rights Port Components 802.1x Authentication/Roaming EAP Radius Roaming Non-repudiation Here they are! Slide 10

11 Encryption Encryption technology converts network messages into formats that are speciallydesigned to prevent third parties from accessing their contents. There are two types of encryption protocol: Stream Cipher Block Cipher Slide 11

12 Encryption Encryption Key Memo Memo Date Date To To From From Subject Subject &*%$%^^ &*%$%^^ &&^*%$# Plain Text Encryption Engine Encrypted Text Slide 12

13 Stream Cipher A stream cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. Encryption is accomplished by combining the key stream with the plaintext, usually with the bitwise XOR operation. Types RC-4 (Used in WEP) Slide 13

14 Example: WEP (RC4) Initia liza tion Ve ctor (IV) Secret Key Plaintext PDU Data seed CRC-32 RC4 PRNG Key Sequence Inte grity Che ck Va lue (ICV) IV Ciphertext Message a. Transmit WEP Key IV Ciphertext Seed RC4 PRNG Key stream Plaintext Integrity Algorithm ICV ICV ICV' = ICV? Message b. Receive Slide 14

15 Block Cipher A block cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time. Types DES Triple DES AES Slide 15

16 Modes of Operation The modes specify how data will be encrypted (cryptographically protected) and decrypted (returned to original form). Encryption algorithms are seldom used directly, cryptographic mode is used instead. A cryptographic mode usually combines: the basic cipher some sort of feedback some simple operations Ensures that an identical block of text produces different encrypted data. Slide 16

17 Some Modes Some modes of operation for use with an underlying symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), Counter (CTR). Counter with Cipher Block Chaining Message Authentication Code (CCM), Slide 17

18 Example: IEEE i Mode Defines the CCMP protocol. Based on AES using the CCM mode of operation. The CCM mode combines: Counter (CTR) mode privacy and; Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication. Slide 18

19 Example: CCMP Encapsulation PN TA DLEN Increment PN Construct Initialization Block MIC_IV PN=Packet Number TA=Transmitter Address DLEN=MPDU Data Length MPDU=MAC Protocol Data Unit Temporal Key=Crypto and Integrity Key PN TA Construct Counter Counter Plaintext MPDU PN Encode PN Plaintext MPDU with PN Compute MIC using CBC-MAC and append to MPDU Plaintext MPDU with MIC AES CTRmode encrypt data Cipher Text Temporal Key Slide 19

20 Example: CCMP Decapsulation DLEN TA PN Construct Initialization Block TA PN Construct Counter MIC_IV Ciphertext MPDU Previous PN Extract PN & DLen Ciphertext MPDU PN PN Good? Counter AES CTRmode decrypt data Plaintext MPDU with MIC MIC Compute MIC using CBC-MAC and append to MPDU Plaintext MPDU MIC MIC = MIC? MIC OK Temporal Key Discard MPDU Slide 20

21 Key Management This is how you come up with the keys that will be used for encryption and authentication. Two kinds: Shared Static Keys Dynamic Keys Generally-speaking, there are three types of dynamic key establishment techniques: 1. techniques based on asymmetric (public key) algorithms, 2. techniques based on symmetric (secret key) algorithms. 3. hybrid techniques are also commonly used, whereby public key techniques are used to establish symmetric (secret) key encryption keys, which are then used to establish other symmetric (secret) keys. Slide 21

22 Shared Static Key Common Session Key Encryption Key Common Session Key Encryption Key Memo Memo Date Date To To From From Subject Subject Plain Text &*%$%^^ &*%$%^^ &&^*%$# Encrypted Text Memo Memo Date Date To To From From Subject Subject &*%$%^^ &*%$%^^ &&^*%$# Encryption Engine Plain Text Encrypted Text Encryption Engine &*%$%^^ &*%$%^^ &&^*% &&^*% $# Encrypted Text Bob Slide 22 Many

23 Public Key Algorithms Different key on each side RSA Knapsack El-Gamal Elliptic Curve Cryptosystems Slide 23

24 Public Key Public Key Distribution Center Mary s Public Key Bob s Private Key Bob s Public Key Encryption Key Mary s Private Key Encryption Key Memo Memo Date Date To To From From Subject Subject Plain Text &*%$%^^ &*%$%^^ &&^*%$# Encrypted Text Memo Memo Date Date To To From From Subject Subject &*%$%^^ &*%$%^^ &&^*%$# Encryption Engine Plain Text Encrypted Text Encryption Engine &*%$%^^ &*%$%^^ &&^*% &&^*% $# Encrypted Text Bob Slide 24 Mary

25 DES Triple DES AES Secret Key Algorithms Same key on each side. Slide 25

26 Agreeing on a Secret Key Diffie-Hellman Pick a Secret Number Secret Key Select a large prime number p. Select g, a primitive root of p. K Common Crypto Key Xa Ya = gxa mod p Ya K=YaXb mod p K Common Crypto Key Yb Xb K=YbXa mod p Yb = gxb mod p Pick a Secret Number Secret Key Slide 26

27 Data Integrity The integrity of a packet is checked by using a secure hash algorithm. Hash functions take a message as input and produce an output referred to as a hashcode, hash-result, hash-value, or simply hash. Hash functions are used for data integrity in conjunction with digital signature schemes, where for several reasons a message is typically hashed first, and then the hash-value, as a representative of the message, is signed in place of the original message. Unkeyed or a keyed hash function. Slide 27

28 Hash Data Hash Slide 28

29 Unkeyed Hash Algorithms Hash functions based on: block ciphers, customized hash functions, hash functions, modular arithmetic. Slide 29

30 Keyed Hash (MAC/MIC) A distinct class of hash functions, called message authentication codes (MACs) or message integrity code (MICs), allows message authentication by symmetric techniques. MAC algorithms may be viewed as hash functions which take two functionally distinct inputs, a message and a secret key, and produce a fixed-size (say n-bit) output, with the design intent that it be infeasible in practice to produce the same output without knowledge of the key. Slide 30

31 Anti-Replay Anti-replay ensures packet security by making it impossible for a hacker to intercept message packets and insert changed packets into the data stream between a source computer and a destination computer. By detecting packets that match the sequence numbers of those that have already arrived, the anti-replay mechanism helps to ensure that invalid packets are discarded. Slide 31

32 Access Control/Access Rights Access Control is any mechanism by which a system grants or revokes the right to access a network. Access Control can be performed by allowing or denying access base on: a user requiring to submit a Login and Password that will be sent to an authentication server for approval. The user has a particular device that would be approved by an access control server. The user contacts an administrator, the administrator configures packet filters. Access Rights is any mechanism that limit where in a network or on a devices a user can access. Slide 32

33 Authentication System 802.1x Model Slide 33

34 RADIUS Servers RADIUS (Remote Authentication Dial-In User Service) An IETF-defined protocol for administering and securing remote access to a network. User Login and Password information is forwarded to a RADIUS authentication server that validates the user and returns the information necessary for the access server to initiate a session with the user. A dictionary file kept in the RADIUS database determines the types of attributes that can be included in the user profile. The user repeats this process to initiate every session. Slide 34

35 Forms of Authentication Device Authentication Used to allow a particular device onto a network (My PDA can go on a network). User Authentication Used to allow a particular user onto a network (Bill is allowed on the engineering network). Hybrid A user has access to a network with a particular device. Slide 35

36 Roaming Three types of roaming: Roam between authenticator gateways on the same IP subnet without requiring new user and password input. Roam between authenticator gateways on different IP subnets without requiring new user and password input. Roam between authenticator gateways on different IP subnets while perserving IP addressing and state information. Slide 36

37 Roaming same Subnet Server Router Authentication Server Bridge or Access Point Bridge or Access Point Laptop User Authenticates to Bridge or Access Point Laptop Slide 37

38 Roaming between Subnets Application Connection Subnet X Server Router Router Authentication Server Bridge or Access Point Bridge or Access Point Laptop User Authenticates to Bridge or Access Point on Subnet x Roams Laptop User roams to Subnet x Slide 38

39 Non-Repudiation Usually a higher layer function. "Non-repudiation with proof of origin" provides the recipient of data with evidence that proves the origin of the data, and thus protects the recipient against an attempt by the originator to falsely deny sending the data. This service can be viewed as a stronger version of a data origin authentication service, in that it proves authenticity to a third party. Slide 39

40 Part 2: Conclusion Five areas of security. Two type of encryption algorithm. Modes of Operation Data Integrity and Hash Anti-Replay Access Control/Rights/Authentication/Roaming Non-Repudiation Slide 40

41 Part 3: Some MAC/Link Protocols IEEE i IEEE Wireless Link Level Security Protocol Slide 41

42 Problems with WEP 40-bit WEP key Weak IVs IV Replay Known packet attack Known packet start attack Bit Flipping attack Slide 42

43 IEEE i A Robust Security Network provides a number of security features to the IEEE architecture. These features notably include: improvement specifically for legacy wlan equipment in TKIP. enhanced data security and encapsulation mechanism, called CCMP key management algorithms; dynamic cryptographic keys; enhanced authentication mechanisms for both APs and STAs; An RSN makes extensive use of IEEE 802.1X protocols with IEEE to provide the authentication and key management. An RSN introduces several components into the IEEE architecture. These components are only present in RSN systems: The first new component is an IEEE 802.1X Port. A second component is the Authentication Server (AS). Slide 43

44 TKIP fixes WEP The Temporal Key Integrity Protocol (TKIP) is a cipher suite enhancing the WEP protocol on pre-rsn hardware. TKIP computes the MIC over the MSDU source address, destination address, priority, and data, and appends the computed MIC to the MSDU; TKIP discards any MIC padding prior to appending the MIC. TKIP fragments the MSDU into one or more MPDUs; TKIP assigns a monotonically incrementing TSC value to each MPDU it generates, taking care that all the MPDUs generated from the same MSDU use counter values from the same 16-bit counter space. For each MPDU, TKIP uses the key mixing function to compute the WEP seed. TKIP represents the WEP seed as a WEP IV and RC4 key, and passes these with each MPDU to WEP for encapsulation. WEP uses the WEP seed as a WEP default key, identified by a key id associated with the temporal key. Slide 44

45 A: Transmit Temporal Ke y TA TSC Phase 1 key mixing TTAK Key TKIP Phase 2 key mixing WEP seed(s) (represented as WEP IV + RC4 key) MIC Ke y SA + DA + priority Plaintext MSDU Data MIC Plaintext MSDU + MIC Fragment(s) Plaintext MPDU(s) WEP Encapsulation Ciphertext MPDU(s) Temporal Ke y TA B:Receive Phase 1 ke y mixing Ciphertext MPDU MIC Ke y TTAK Key TSC TKIP IV Unmix IV Ke y mixing In-sequence MP DU Out-of-sequence MP DU WEP Seed WEP Decapsulation Plaintext MP DU MPDU with failed WEP ICV Reassemble SA + DA + priority + Plaintext MS DU Micha e l MIC MIC MSDU with failed TKIP MIC Plaintext MSDU Countermeasures MIC = MIC? Slide 45

46 CCMP The CCMP protocol is based on AES using the CCM mode of operation. The CCM mode combines Counter (CTR) mode privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication. CCM uses the same temporal key for both CTR mode and the CBC-MAC. CCM assumes a fresh temporal key for every session. Reuse of a temporal key and packet number voids all security guarantees. Slide 46

47 CCMP encapsulation block diagram PN Increment PN TA DLEN Construct Initialization Block MIC_IV PN TA Construct Counter Counter Plaintext MPDU PN Encode PN Plaintext MPDU with PN Compute MIC using CBC-MAC and append to MPDU Plaintext MPDU with MIC AES CTRmode encrypt data Cipher Text Temporal Key Slide 47

48 CCMP decapsulation block diagram DLEN TA PN Construct Initialization Block TA PN Construct Counter MIC_IV Ciphertext MPDU Previous PN Extract PN & DLen Ciphertext MPDU PN PN Good? Counter AES CTRmode decrypt data Plaintext MPDU with MIC MIC Compute MIC using CBC-MAC and append to MPDU Plaintext MPDU MIC MIC = MIC? MIC OK Temporal Key Discard MPDU Slide 48

49 RSN security association management IEEE uses the notion of a security association to describe secure operation. Secure communications are possible only within the context of a security association, as this is the context providing the state cryptographic keys, counters, sequence spaces, etc. needed for correct operation of the IEEE cipher suites. Slide 49

50 Establishing the IEEE connection and negotiation STA AP Probe Request Probe Response + RSN IE (AP supports MCast/Ucast: CCMP, WRAP, TKIP, WEP and 802.1X EAP Authentication) IEEE Open Authentication (request) IEEE Open Authentication (response) Association Req + RSN IE (Client requests TKIP and 802.1X EAP Authentication) Association Response (success) 802.1X controlled port blocked for client AID Slide 50

51 IEEE 802.1X EAP authentication STA AP 802.1X/EAP-Request Identity 802.1X/EAP-Response Identity (EAP type specific) EAP Access Request/Identity EAP type specific mutual authentication Derive Pairwise Master Key (PMK) 802.1X/EAP-SUCCESS Derive Pairwise Master Key (PMK) EAP Accept (with PMK via MS- MPPE) 802.1X controlled port still blocked for client AID Slide 51

52 Establishing pairwise keys STA AP PMK Derive SNonce Derive PTK EAPoL-Key(Reply Required, Unicast, ANonce) EAPoL-Key(Unicast, SNonce, MIC, STA RSN IE) PMK Derive ANonce Derive PTK EAPoL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE) Install Keys Install Keys EAPoL-Key(Unicast, ANonce, MIC) 802.1X controlled port still blocked for client AID Slide 52

53 Group key delivery STA AP GMK Derive GNonce & GTK Encrypt GTK field EAPoL-Key(All Keys Installed, Reply Required, Group Rx, Key Index, Group, GNonce, MIC, GTK) EAPoL-Key(Group, MIC) 802.1X controlled port still blocked for client AID Slide 53

54 IEEE This entity provides services that permit the secure exchange of data at Layer 2. As part of the Logical Link Control (LLC) sublayer, the SDE entity provides a connectionless service immediately above the Medium Access Control (MAC) sublayer in IEEE 802 LANs and MANs. It provides security across the MAC sublayer using cryptographic mechanisms and security services provided transparently at the boundary to the LLC entity. Develop its own Key Management Protocol Slide 54

55 IEEE Slide 55

56 Structure of the SDE PDU Slide 56

57 Key Management The key management model and protocol support three key distribution techniques: manual key distribution, center-based key distribution, certificate-based key distribution. Slide 57

58 Manual Distributed Key Slide 58

59 Center Based Key Distribution Slide 59

60 Center-based key translation Slide 60

61 Certificate-based key distribution Slide 61

62 Multicast key distribution Slide 62

63 wlls Link Level Security Protocol AES, 3DES Dual Diffie-Hellman Key Engine SHA-1 Packet Integrity Anti Replay Device Authentication User Authentication using EAP FIPS Slide 63

64 wlls Packet Slide 64

65 wlls Key Negotiation Slide 65

66 Threat Protection known-key attack. In this attack an adversary obtains some keys used previously and then uses this information to determine new keys. replay. In this attack an adversary records a communication session and replays the entire session, or a portion thereof, at some later point in time. impersonation. Here an adversary assumes the identity of one of the legitimate parties in a network. dictionary. This is usually an attack against passwords. Typically, a password is stored in a computer file as the image of an unkeyed hash function. When a user logs on and enters a password, it is hashed and the image is compared to the stored value. An adversary can take a list of probable passwords, hash all entries in this list, and then compare this to the list of true encrypted passwords with the hope of finding matches. Slide 66

67 Attacks on protocols forward search. This attack is similar in spirit to the dictionary attack and is used to decrypt messages. An example of this method was cited in Example interleaving attack. This type of attack usually involves some form of impersonation in an authentication protocol. Slide 67

68 Part 3: Conclusion The new IEEE i recommendations: TKIP for legacy wlan products CCMP for highly secure networks IEEE 802.1x Port Control Authentication and Radius IEEE wlls Threats Slide 68

69 Editorial Comment Proponent of using i. Millions of wireless devices will support i very soon. I believe there are only minor changes to make it a link level security protocol. The changes have to do with: embedded functions at the MAC layer; fragmentation. Our goal would be to secure a point-to-point connection from a gateway across access points and bridges to mobile devices Slide 69

70 Questions or Comments Slide 70