A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Similar documents
Wireless technology Principles of Security

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Appendix E Wireless Networking Basics

Overview of IEEE Networks. Timo Smura

Chapter 3.1 Acknowledgment:

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

Security in IEEE Networks

Outdoor High Power b/g/n Wireless USB Adapter USER MANUAL 4.0

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Wireless Attacks and Countermeasures

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

05 - WLAN Encryption and Data Integrity Protocols

02/21/08 TDC Branch Offices. Headquarters SOHO. Hot Spots. Home. Wireless LAN. Customer Sites. Convention Centers. Hotel

Wireless Network Security

Mobile MOUSe WIRELESS TECHNOLOGY SPECIALIST ONLINE COURSE OUTLINE

WIRELESS USB 2.0 ADAPTER. Manual (DN & DN )

Guide to Wireless Communications, Third Edition. Objectives

IEEE Notes. 1 Local Area Networks. 2 Protocols. 3 Network Model

ECE 435 Network Engineering Lecture 8

Wireless LAN USB Super G 108 Mbit. Manual

WNC-0300USB. 11g Wireless USB Adapter USER MANUAL

Chapter 24 Wireless Network Security

Chapter 17. Wireless Network Security

Status of P Sub-Specification

Wireless Networking based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

1. INTRODUCTION. Wi-Fi 1

WIRELESS LANS. By: M. Habibullah Pagarkar Mandar Gori Rajesh Jaiswal

Exam Questions CWSP-205

Wireless Security i. Lars Strand lars (at) unik no June 2004

Multiple Access in Cellular and Systems

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

WL-5420AP. User s Guide

Standard For IIUM Wireless Networking

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Security and Authentication for Wireless Networks

Wireless# Guide to Wireless Communications. Objectives

Family Structural Overview

NT1210 Introduction to Networking. Unit 6: Chapter 6, Wireless LANs

Wireless# Guide to Wireless Communications. Objectives

Wireless Protocols. Training materials for wireless trainers

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

IT220 Network Standards & Protocols. Unit 6: Chapter 6 Wireless LANs

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

WLAN a-z 2010/02/15. (C) Herbert Haas

IEEE WLANs (WiFi) Part II/III System Overview and MAC Layer

Overview : Computer Networking. Spectrum Use Comments. Spectrum Allocation in US Link layer challenges and WiFi WiFi

Architecture. Copyright :I1996 IEEE. All rights reserved. This contains parts from an unapproved draft, subject to change

Wireless Technologies

Chapter 7. Basic Wireless Concepts and Configuration. Part I

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

ICE 1332/0715 Mobile Computing (Summer, 2008)

Wireless MAXg Technology

Wireless Networking Basics. Ed Crowley

Wi-Fi Scanner. Glossary. LizardSystems

IEEE Wireless LANs

Configuring WEP and WEP Features

Introduction to Networking Devices

Wireless LAN Security. Gabriel Clothier

WIRELESS LAN/PAN/BAN. Objectives: Readings: 1) Understanding the basic operations of WLANs. 2) WLAN security

IEEE Technical Tutorial. Introduction. IEEE Architecture

Securing Your Wireless LAN


What is Eavedropping?

IEEE i and wireless security

Advanced Security and Mobile Networks

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Wireless PCI PCMCIA Super G 108 Mbit. Manual

Configuring Cipher Suites and WEP

SEMESTRAL PROJECT 37MK

Wireless Networks. Lecture 4: Wireless Networking Devices. Assistant Teacher Samraa Adnan Al-Asadi 1

Wireless and Mobile Networks 7-2

WiFi Networks: IEEE b Wireless LANs. Carey Williamson Department of Computer Science University of Calgary Winter 2018

Overview of Security

Wireless Communication and Networking CMPT 371

1. Data Link Layer Protocols

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

Basic processes in IEEE networks

802.11g PC Card/USB Wireless Adapter

FAQ on Cisco Aironet Wireless Security

Wireless LAN -Architecture

Network Encryption 3 4/20/17

Guide to Networking Essentials, 6 th Edition. Chapter 7: Network Hardware in Depth

Guide to Networking Essentials, 6 th Edition. Chapter 7: Network Hardware in Depth

Announcements / Wireless Networks and Applications Lecture 9: Wireless LANs Wireless. Regular Ethernet CSMA/CD.

Technical Introduction

U S E R M A N U A L b/g PC CARD

Basic Wireless Settings on the CVR100W VPN Router

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Shared Access Networks Wireless. 1/27/14 CS mywireless 1

11n Wireless USB Adapter

Wireless Communication and Networking CMPT 371

Wireless LANs. ITS 413 Internet Technologies and Applications

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

WarDriving. related fixed line attacks war dialing port scanning

Transcription:

A Configuration Protocol for Embedded Devices on Secure Wireless Networks Larry Sanders lsanders@ittc.ku.edu 6 May 2003

Introduction Wi-Fi Alliance Formally Wireless Ethernet Compatibility Alliance (WECA) Formed to certify interoperability of Wireless LANs products based on IEEE 802. specification Coined the term Wireless Fidelity (Wi-Fi) What is Wi-Fi WLAN Wireless Ethernet 802. Management and Internetworking 802.3 CSMA/CD 802.3 MAC 802.2 Logical link control (LLC) 802. 802. MAC Network Data Link 802.a, 802.b, 802.g 802.3 PHY 802. FHSS PHY 802. DSSS PHY 802.a OFDM PHY 802.b HR/DSSS PHY Physical 802 Family OSI Model

Motivation Stations on a Wi-Fi Network Unable to utilize traditional configuration protocols such as DHCP until the host has link level connectivity Requires user to enter extra parameters Service Set Identifier (SSID or Network Name) WEP encryption keys Embedded wireless devices Limited input capabilities Additional interfaces costly

Background Types of Wi-Fi Networks Basic Service Set (BSS) Group of Wi-Fi stations Independent networks (IBBS) Sometimes called Ad-Hoc Networks Stations communicate directly with each other Infrastructure networks (BSS) Access Point (AP) used for all communications Stations need only be within range of the AP APs can assist stations with power management by buffering Bridge to Ethernet network

Background Extended Service Set c Extended Service Set Workstation AP Laptop computer BSS Created by linking BSSs c PDA c Backbone network Distribution System Computer AP2 BSS 2 Desktop PC BSS 3 Typically Ethernet Management Laptop Ethernet c AP3 Wi-Fi stations associate with single AP Router Inter-Access Point Protocol (IAPP) Internet

Background Joining a Wi-Fi Network Scanning Find the network Passive or Active Authentication Open-System Authentication Null Authentication always successful Shared-Key Authentication Utilizes WEP Challenge / response Association

Background 802. MAC Frame Control Type of frame, power management, WEP status, etc. Duration/ID Use depends on type of frame Sequence Control Fragmentation and discarding duplicate frames Frame Check Sequence Error detection across entire frame (including 802. header)

Background 802. MAC Frame (continued) Frame body 802. Management frames 802. Control frames 802. Data frames 802.2 Logical-Link Control (LLC) encapsulated data Address Fields (6 octets each)

Background 802. Wired Equivalent Privacy (WEP) Goal Provide security similar to Ethernet Shared Keys 40/64 and 04/28 bit standard key sizes Concatenated with 24 bit Initialization Vector Utilizes RC4 Symmetric stream cipher RSA Security, Inc.

Background WEP Frame Format IV (4 octets) Initialization Vector (3 octets) Concatenated with WEP key Typically implemented as counter Key ID ( octet) 2 bit field that specifies which WEP key ICV (4 octets) Integrity Check Vector (CRC-32) Frame Control Duration Addr Addr 2 Addr 3 Seq Addr 4 802. MAC Header WEP IV DATA FCS Cleartext Encrypted Cleartext

Background Problems with WEP Key Management Must be distributed to all stations Packets can be spoofed and/or modified No Integrity protection for 802. header 802. Authentication No mutual authentication Trivial to defeat station authentication Fluhrer, Mantin, Shamir (FMS attack) Weak IVs Assumes first byte of key stream can be recovered (0xAA SNAP header) Only requires a few million packets to crack WEP

Background 802. Task Group i Charged with increasing 802. security Draft due September 2003 Two new protocols Temporal Key Integrity Protocol (TKIP) Short-term solution Works with legacy hardware via software/firmware updates Counter-Mode-CBC-MAC (CCMP) Long-term solution for future hardware Uses the Advanced Encryption System (AES)

Background 802.x: Port based Network Access Control Based on IETF s Extensible Authentication Protocol Facilitates mutual authentication Method to distribute encryption keys Session keys Group keys

Background 802.x in the Home/Small Business Generally, no Authentication Server on home networks Use of pre-shared keys Wi-Fi Alliance endorsed vendor solution Similar to WEP Has to be distributed manually Becomes base for session keys

Background Vendor Security Enhancements Non-broadcast SSID SSID field in beacon packets zeroed Not very effective Attacks designed to force stations to re-associate Exposes SSID MAC address filtering Authorized list of MAC address Somewhat effective Most NICs allow users to set MAC

Architecture Wi-Fi-Co Wi-Fi-Co Configurator Wi-Fi-Co Target Host Wired Ethernet AP 802. Wi-Fi PDA or Embedded Device Configurator Host Sending Wi-Fi configuration parameters Can be anywhere on the ESS network Target Workstation Host receiving Wi-Fi configuration Embedded wireless device, typically

Architecture Wi-Fi-Co (continued) General idea 802. headers are unencrypted Access Points copy MAC address during the bridging process Data portion encrypted - no use to a station without keys Source address - 6 octets of data Broadcast Ethernet Destination MAC Source MAC TYPE DATA Frame Control Duration/ ID Addr Addr 2 Addr 3 Seq Addr 4 0xAA SNAP Header 0xAA 0x03 RFC 042 encapsulation 0x00-00-00 TYPE DATA FCS 802. Header 802. Data

Architecture Source MAC address Protocol identifier (3 octets) 0:00:00 Private Ethernet MAC pool Sequence ( octet) Fragmented Configuration Data (2 octets) Header SSID WEP Key(s) Feedback Integrity Check MAC Source Address I I I SEQ D D Constant Identifer Data MAC Destination Address ff ff ff ff ff ff Broadcast

Architecture Feedback Positive acknowledgement Optional Once target device is configured and has IP level connectivity TCP connection back to Configurator IP level address assigned Statistics (for development) Configurator must send its address Configurator is modifying MAC addresses

Architecture Protecting the WEP keys Broadcast packets easily intercepted On the wired Ethernet network portion Any Wi-Fi station within range of an Access Point in the ESS Utilizes RC4 Shared key symmetric cipher Embedded devices ship with pre-programmed key Certificate with product code Additional input required on the Configuration host Much easier then input to embedded device

Implementation Header Default key number SSID length Feedback WEP key lengths Version Encryption Designates that the SSID and WEP fields are encrypted Mode/IBSS channel 0 for Infrastructure (BSS or ESS) Non-zero for IBSS Specifies the channel the IBBS is on 5 4 Default Key (0-3) 3 30 Buffer Length is 8 + 4 * KEY_LEN + SSID_LEN + (FB * 6) 3 29 2 28 0 9 SSID LEN (0-32) 27 26 R E S E R V E D (0) 25 8 24 7 6 5 4 3 2 0 FB 23 22 WEP KEY LEN (8 [40/64] or 3 [04/28]) 2 Version (0) 20 E 9 8 7 6 Mode/iBSS Chan (0-4) F E E D B A C K H E A D E R S S ID K E Y 0 K E Y K E Y 2 K E Y 3 C R C -3 2 A D D R

Implementation Wi-Fi Channel Hopping 802.b Direct Sequence Spread Spectrum 4 Channels ( in U.S.), 5 MHz wide Energy leakage 5 channels Access Point setting Each BSS operates on a specific channel Overlapping BSSs 5 channels apart to avoid interference Hopping all channels guarantees traffic has a chance to be received Sequence generally,6,,2,7,

Results Test Setup #2 (Small Network) Wired Ethernet Configurator Wi-Fi Target station Target was Linux laptop Single, constant Wi-Fi channel Test Setup #2 Avg. Conf Time 48 ms Avg. CRC Failure 0.0 Configuration Time (ms) 20 90 70 50 30 0 90 70 50 2 3 4 5 6 7 8 9 00 90 80 70 60 50 40 30 Processed Fragments Trial Time Packets

Results Test Setup #4 (Small Network) Wired Ethernet Wi-Fi Target station Target Linux laptop Target hopping three channels/second Avg. Conf. Time 89 ms Avg. CRC Failures 0.0 Configuration Time (ms) 5000 4500 4000 3500 3000 2500 2000 500 000 500 0 Test Setup #4 2 3 4 5 6 7 8 9 Trial 0 00 90 80 70 60 50 40 30 Processed Fragments Time Packets

Results Test Setup #7 (ITTC s Network) Wired Ethernet Wi-Fi Target station Target was Linux laptop Single, constant Wi-Fi channel Test Setup #7 50 Avg. Conf. Time 9 ms Avg. CRC Failures Configuration Time (ms) 240 90 40 90 2 30 0 90 70 50 Processed Fragments.07 40 2 3 4 5 6 7 8 9 30 Trial Time Packets

Results Test Setup #9 (ITTC s Network) Wired Ethernet Wi-Fi Target station Target was Linux laptop Target hopping three channels/second Test Setup #9 Avg. Conf. Time 78 ms Avg. CRC Failures.3 Configuration Time (ms) 3550 3050 2550 2050 550 050 550 50 3 2 3 2 2 2 2 3 2 3 4 5 6 7 8 9 Trial 230 20 90 70 50 30 0 90 70 50 30 Processed Fragments Series2 Series

Results Test Setup #9 (Continued) Target Within Wi-Fi-Co Configurator Test Setup #9 AP Range of Three Wi-Fi Access Points Workstation Ethernet AP2 Wi-Fi-Co Target Laptop AP3

Results Embedded Device Tests Wi-Fi enabled Smart Wireless Thermostat Designed by Ambient Computing, Inc. Rabbit 2000 8-bit microcontroller 30 MHz clock USB Prism 2.5 Wi-Fi card Rapid prototype Experimental Wi-Fi drivers Poor network performance

Results Test Setup #2 (ITTC s Network) Wired Ethernet Wi-Fi enabled embedded device Target was Smart Wireless Thermostat Target Hopping channel every 5 seconds Test Setup #2 Avg. Conf. Time 0.8 Seconds Avg. CRC Failures Configuration Time (ms) 20050 5050 0050 5050 2 2 2 2 20 0 00 90 80 70 60 50 40 Processed Fragments.29 50 2 3 4 5 6 7 8 9 30 Tria l Time Packets

Conclusions Successfully tested on several networks Small home network Enterprise network at ITTC Target software ported to Linux (tested on Debian, Gentoo, and RedHat) Embedix Embedded Linux (Sharp Zaurus) Dynamic C for the Rabbit Microprocessor (Smart Wireless Thermostat)

Conclusions Challenges overcome Ease of porting to many different platforms, operating systems, and distributions Lessons learned Network safe implementation No limit on initial rate Configurator sent packets Fine for 00 Mbps network Nearly saturated low speed, long haul Wi-Fi link to remote lab

Demo

Questions? Larry Sanders lsanders@ittc.ku.edu 6 May 2003

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback