Redes Inalmbricas Tema 5' Seguridad

1
Redes Inalámbricas Tema 5. Seguridad

• La tecnología 802.11 WEP y el estándar 802.11i
• Seguridad en MANET

2
Wireless LAN Security Issues
WEP y IEEE802.11i

• Issue
• Wireless sniffer can view all WLAN data packets
• Anyone in AP coverage area can get on WLAN

• 802.11 WEP Solution
• Encrypt all data transmitted between client and
  AP
• Without encryption key, user cannot transmit or
  receive data

Wireless LAN (WLAN)
Wired LAN
client
access point (AP)
Goal Make WLAN security equivalent to that of
wired LANs (Wired Equivalent Privacy)
3
WEP Protection for 802.11b
WEP y IEEE802.11i

• Wired Equivalent Privacy
• No worse than what you get with wire-based
  systems.
• Criteria
• Reasonably strong
• Self-synchronizing stations often go in and out
  of coverage
• Computationally efficient in HW or SW since low
  MIPS CPUs might be used
• Exportable US export codes (relaxed in Jan 2000
  / Wassenaar Arrangement)
• Optional not required to used it
• Objectives
• confidentiality
• integrity
• authentication

4
WEP How It Works
WEP y IEEE802.11i

• Secret key (40 bits or 104 bits)
• can use up to 4 different keys
• Initialization vector (24 bits, by IEEE std.)
• total of 64 or 128 bits of protection.
• RC4-based pseudo random number generator (PRNG)
• Integrity Check Value (ICV) CRC 32

IV(4 bytes)
Data (PDU)(? 1 byte)
Frame header
ICV(4 bytes)
FCS
5
WEP Encryption Process
WEP y IEEE802.11i

• Compute ICV using CRC-32 over plaintext msg.
• Concatenate ICV to plaintext message.
• Choose random IV and concat it to secret key and
  input it to RC4 to produce pseudo random key
  sequence.
• Encrypt plaintext ICV by doing bitwise XOR with
  key sequence to produce ciphertext.
• Put IV in front of cipertext.

IV
InitializationVector (IV)
Key Sequence
Seed
Message
WEP PRNG
Secret Key
Ciphertext
Plaintext
Integrity Algorithm
Integrity Check Value (ICV)
6
WEP Decryption Process
WEP y IEEE802.11i

• IV of message used to generate key sequence, k.
• Ciphertext XOR k ? original plaintext ICV.
• Verify by computing integrity check on plaintext
  (ICV) and comparing to recovered ICV.
• If ICV ? ICV then message is in error send
  error to MAC management and back to sending
  station.

Secret Key
Key Sequence
Plaintext
WEP PRNG
IV
Seed
Ciphertext
Message
ICV
ICV - ICV
Integrity Algorithm
ICV
7
WEP Station Authentication
WEP y IEEE802.11i

• Wireless Station (WS) sends Authentication
  Request to Access Point (AP).
• AP sends (random) challenge text T.
• WS sends challenge response (encrypted T).
• AP sends ACK/NACK.

8
WEP Weaknesses
WEP y IEEE802.11i

• Forgery Attack
• Packet headers are unprotected, can fake src and
  dest addresses.
• AP will then decrypt data to send to other
  destinations.
• Can fake CRC-32 by flipping bits.
• Replay
• Can eavesdrop and record a session and play it
  back later.
• Collision (24 bit IV how/when does it change?)
• Sequential roll-over in lt ½ day on a busy net
• Random After 5000 packets, gt 50 of reuse.
• Weak Key
• If ciphertext and plaintext are known, attacker
  can determine key.
• Certain RC4 weak keys reveal too many bits. Can
  then determine RC4 base key.
• Well known attack described in Fluhrer/Mantin/Sham
  ir paper
• Weaknesses in the Key Scheduling Algorithm of
  RC4, Scott Fluhrer, Itsik Mantin, and Adi Shamir
• using AirSnort http//airsnort.shmoo.com/
• Also WEPCrack
• http//wepcrack.sourceforge.net/

9
Ways to Improve Security with WEP
WEP y IEEE802.11i

• Use WEP(!)
• Change wireless network name from default
• any, 101, tsunami
• Turn on closed group feature, if available in AP
• Turns off beacons, so you must know name of the
  wireless network
• MAC access control table in AP
• Use Media Access Control address of wireless LAN
  cards to control access
• Use Radius support if available in AP
• Define user profiles based on user name and
  password

• War Driving in New Orleans (back in December
  2001)
• Equipment
• Laptop, wireless card, software
• GPS, booster antenna (optional)
• Results
• 64 Wireless LANs
• Only 8 had WEP Enabled (12)
• 62 APs 2 Peer to Peer Networks
• 25 Default (out of the box) Settings (39)
• 29 Used The Company Name For ESSID (45)

10
War Driving

• Locating wireless access points while in motion
• http//www.wardrive.net/
• Adversarial Tools
• Laptop with wireless adapter
• External omni-directional antenna
• Net Stumbler or variants http//www.netstumbler.co
  m/
• GPS

With GPS Support
Send constant probe requests
11
War Driving in New Orleans (back in December
2001)
WEP y IEEE802.11i
12
Quick and dirty 802.11 Security Methods

• SSID Closed mode
• MAC layer security

13
Quick and dirty Security Methods Closed Mode of
Operation

• Hide SSID
• All devices in a WLAN have to have same SSID to
  communicate
• SSID is not released
• Beacon messages are removed
• Client has to know exact SSID to connect
• Make active scanning, send probe request

14
Attacking to 802.11 Closed Mode
15
Man-in-the-middle Attack
16
Quick and dirty 802.11 Security Methods

• SSID Closed mode
• MAC layer security

17
Quick and dirty security Methods MAC Layer
Security

• Based on MAC addresses
• MAC filters
• Allow associate of a MAC
• Deny associate of a MAC

18
Bypass MAC Filters MAC Spoofing
19
Rouge AP

• Install fake AP and web server software
• Convince wireless client to
• Disassociate from legitimate AP
• Associate to fake AP
• Bring similar web application to user to collect
  passwords
• Adversarial tools
• Any web server running on Unix or MS environments
• Fake AP (http//www.blackalchemy.to/project/fakeap
  /)

Reconnect to louder AP

• Run fake
• AP software
• Web Server

20
IEEE 802.11i Introducción

• Las redes inalámbricas 802.11 siguen teniendo la
  fama de inseguras
• Desde el año 2004 se cuenta con el estándar
  802.11i, que proporciona una alta seguridad a
  este tipo de redes
• no hay descrito ningún ataque efectivo sobre WPA2
  en modo infraestructura (correctamente
  configurado)
• WEP dejó de ser una opción a partir del año 2001
• pero seguimos burlándonos de él!
• ya no forma parte del estándar 802.11 (su uso
  está desaprobado por el añadido 802.11i
• La tecnología actual permite redes Wi-Fi seguras

21
Cronología de la seguridad en 802.11
802.11a
802.11g
802.11i
802.11
802.11b
1997
1999
2001
2003
2004
Wi-Fi
WPA
WPA2
WEP
22
En qué falló WEP?

• utiliza una única clave secreta para todo
  autenticación, confidencialidad
• y se usa en todos los dispositivos y durante todo
  el tiempo
• la gestión de las claves es manual
• la autenticación es sólo para el dispositivo
  cliente
• no se autentica al usuario, ni se autentica la
  red
• el IV es demasiado pequeño y la forma de usarlo
  debilita el protocolo
• la integridad no funciona (CRC no es un buen
  código)
• y no incluye las direcciones fuente y destino

23
Qué podemos hacer?

• No intentar resolverlo todo de una
• Buscar los protocolos adecuados para cada
  funcionalidad
• Permitir la gestión automática de las claves de
  cifrado
• Cambiar frecuentemente las claves, obteniéndolas
  automáticamente
• Autenticar al usuario, no al dispositivo
• Autenticar a la red (también hay redes malas)
• Utilizar protocolos robustos de autenticación,
  integridad y confidencialidad

24
Primera aproximación 802.1X

• Control de acceso basado en el puerto de red
• una vez autenticada y asociada una estación, no
  se le da acceso a la red hasta que no se
  autentique correctamente el usuario
• Componentes suplicante, autenticadory servidor
  de autenticación
• Utiliza EAP como marco de autenticación
• EAP permite el uso de distintos protocolosde
  autenticación MD5, MS-CHAPv2,
• La utilización de un método criptográfico en la
  autenticación permite generar claves secretas
• también se pueden distribuir de manera segura

25
Métodos EAP (1)

• Los métodos EAP en redes Wi-Fi han de cumplir
• protección de las credenciales de usuario
• autenticación mutua usuario ?? red
• derivación de claves
• Solución emplear un túnel TLS
• el servidor se autentica con certificado digital
• las credenciales viajan protegidas
• TLS genera una clave maestra
• Qué servidor autentica? RADIUS
• trabaja con distintas Bases de Datos de usuario
• permite la escalabilidad mediante una jerarquía
  de servidores (en árbol)

26
Métodos EAP (2)

• Los más habituales en Wi-Fi
• EAP-TLSse utilizan certificados digitales en
  ambos extremos
• EAP-TTLS (Tunneled TLS)en una primera fase se
  establece un túnel TLS a partir del certificado
  digital del servidoren la segunda fase se
  utiliza cualquier otro método de autenticación
  (protegido por el túnel). Ej. PAP, MD5,
• EAP-PEAP (Protected EAP)equivalente a TTLS, pero
  sólo emplea métodos EAP para la segunda fase
  TLS, MS-CHAP-V2,
• Si se emplean dos fases
• identidad anónima en la autenticación externa
  (dominio)
• identidad real en la autenticación interna

27
El servicio RADIUS

• Permite autenticar a los usuarios que establecen
  conexiones remotas u 802.1X
• Es capaz de trabajar con distintos repositorios
  de cuentas de usuario
• el Directorio Activo de Windows, LDAP, ficheros,
  
• Si el usuario no pertenece a su dominio lanza la
  petición a su padre en la jerarquía RADIUS
• en los métodos que utilizan dos fases se emplea
  la identidad externa para redirigir la petición
• Los canales cifrados (túneles TLS) se establecen
  entre el suplicante y el RADIUS final que atiende
  la petición

28
Jerarquía RADIUS
29
Primera solución WPA

• Mientras en el IEEE se trabaja en el nuevo
  estándar 802.11i, las debilidades de WEP exigen
  protocolos de cifrado en niveles superiores a la
  capa de enlace
• La industria es reacia a adoptar las redes 802.11
• El consorcio Wi-Fi Alliance decide sacar el
  estándar comercial WPA (Wi-Fi Protected Access)
• Se basa en un borrador del estándar 802.11i y es
  un subconjunto del mismo
• compatible hacia delante
• Soluciona todos los problemas que plantea WEP con
  medidas válidas a medio plazo

30
La confidencialidad en WPA TKIP

• TKIP (Temporal Key Integrity Protocol) es el
  protocolo de cifrado diseñado para sustituir a
  WEP reutilizando el hardware existente
• Forma parte del estándar 802.11i
• aunque se considera un protocolo a desaprobar
• Entre sus características
• utiliza claves maestras de las que se derivan las
  claves
• el IV se incrementa considerablemente (de 24 a 48
  bits)
• cada trama tiene su propia clave RC4
• impide las retransmisiones de tramas antiguas
• comprueba la integridad con el algoritmo Michael
• no ofrece la máxima seguridad, pero incorpora
  contramedidas ante los ataques (desconexión 60 s
  y generación de claves)

31
Cómo se configura WPA?

• Autenticación 802.11 abierta
• Autenticación 802.1X (en modo infraestructura)
• Métodos EAP con túnel TLS
• identidad externa anónima, si es posible
• Restricción de los servidores RADIUS aceptados
• Cifrado TKIP
• Y si estamos en un entorno SOHO?
• no hay servidores RADIUS
• no podemos autenticar al usuario como hasta ahora
• no podemos generar la clave maestra
• ? utilizamos una clave pre-compartida entre todos
  !

32
La solución definitiva 802.11i WPA2

• El protocolo CCMP ofrece el cifrado (mediante
  AES) y la protección de integridad
• se considera el algoritmo de cifrado más seguro
  hoy en día (no se ha ideado ningún ataque contra
  el mismo)
• necesita soporte hardware para no penalizar
• aunque se han incorporado mejoras en el diseño
  para hacerlo más eficiente
• Se establece el concepto RSN Robust Security
  Networks
• aquellas en las que todas las asociaciones entre
  dos dispositivos son de tipo RSNA? intercambio
  de claves con un 4-Way Handshake

33
Asociaciones de tipo RSNA

• Una vez que el usuario se ha autenticado ante el
  RADIUS, ambos han generado una clave maestra
• El RADIUS le proporciona esta clave al AP
• El punto de acceso y el cliente realizan un
  diálogo (con 4 mensajes) en el que
• comprueban que el otro tiene en su poder la clave
  maestra
• sincronizan la instalación de claves temporales
• confirman la selección de los protocolos
  criptográficos
• Las claves temporales son de dos tipos
• para el tráfico unicast (estación ?? AP)
• para el tráfico multicast y broadcast (AP ?
  estaciones)

34
Cómo se configura WPA2?

• Autenticación 802.11 abierta
• Autenticación 802.1X (en modo infraestructura)
• Métodos EAP con túnel TLS
• identidad externa anónima, si es posible
• Restricción de los servidores RADIUS aceptados
• Cifrado AES
• Y si estamos en un entorno SOHO?
• utilizamos una clave pre-compartida entre todos
• esta clave sirve de autenticación
• esta es la clave maestra a partir de la que
  generar el resto
• LA PALABRA DE PASO HA DE TENER MÁS DE 20
  CARACTERES

35
WPA y WPA2

• WPA puede ejecutarse con todo el hardware que
  soportase WEP (sólo necesita una actualización de
  firmware)
• WPA2 necesita hardware reciente (2004 ?)
• WPA acabará siendo comprometido a medio plazo y
  sólo se recomienda como transición a WPA2
• Algunos AP permiten emplear un modo mixto que
  acepta tanto clientes WPA como clientes WPA2 en
  la misma celda
• hay una pequeña degradación en las claves de
  grupo
• (este modo nos ha dado problemas con algunas PDA)

36
Pre-autenticación 802.1X

• El proceso de establecer la asociación y generar
  las claves es costoso y puede afectar a la
  movilidad
• La pre-autenticación consiste en establecer el
  contexto de seguridad con un AP mientras se está
  asociado a otro
• El tráfico entre la estación y el nuevo AP viaja
  por la red cableada
• Cuando, finalmente, se produce el roaming, el
  cliente indica que ya está hecha la asociación
  inicial
• Sólo disponible en WPA2 (excluido en WPA)

37
Soporte 802.11i en los S. Operativos

• Windows Mobile
• Cada PDA es un mundo!
• Incluye el suplicante 802.1X
• Soporta sólo WPA (cifrado TKIP)
• métodos EAP EAP-TLS y EAP-PEAP/MS-CHAP-V2
• Windows XP SP2
• Incluye el suplicante 802.1X
• Soporta WPA (de fábrica). Se puede aplicar la
  actualización a WPA2 (si la tarjeta lo soporta)
• esta actualización no se aplica a través de
  Windows Update
• métodos EAP EAP-TLS y EAP-PEAP/MS-CHAP-V2
• permite restringir los servidores RADIUS
  aceptados
• almacena en caché las credenciales del usuario
  siempre!

38
Soporte 802.11i en los S. Operativos

• Windows Vista
• Incluye el suplicante 802.1X
• Soporta WPA y WPA2
• métodos EAP EAP-TLS y EAP-PEAP/MS-CHAP-V2
• incorpora una API (EAPHost) que permite
  desarrollar nuevos suplicantes y nuevos métodos
  EAP
• permite restringir los servidores RADIUS
  aceptados
• permite elegir si se almacenan o no, en caché,
  las credenciales del usuario
• Permite definir perfiles de conexión para
  configurar las redes inalámbricas sin la
  intervención del usuario
• incluso con opciones que no podrá modificar
• Informa de la seguridad de las redes disponibles

39
Soporte 802.11i en los S. Operativos

• Linux
• Dependiendo de la distribución puede incluir o no
  el suplicante 802.1X
• Se recomienda utilizar wpa-supplicant y Network
  Manager para la configuración
• Soporta WPA y WPA2
• admite la mayoría de métodos EAP EAP-TLS,
  EAP-TTLS/PAP, EAP-PEAP/MS-CHAP-V2,
• permite restringir los servidores RADIUS
  aceptados
• permite elegir si se almacenan o no, en caché,
  las credenciales del usuario
• la configuración puede ser a través de ficheros o
  mediante la interfaz gráfica

40
eduroam

• Es una iniciativa a nivel internacional que
  permite la movilidad de sus miembros de manera
  transparente
• con la misma configuración de la red inalámbrica
  se puede conectar un usuario en cualquier
  institución adherida a eduroam
• la autenticación del usuario la hace siempre la
  institución de origen (con seguridad en el
  tránsito de credenciales)
• es sencillo detectar si tenemos soporte para
  eduroam el SSID es eduroam
• Más información
• http//www.eduroam.es, http//eduroam.upv.es
• Atención el cifrado puede ser distinto en cada
  red

41
eduroam en Europa
42
La red inalámbrica en la UPV

• http//wifi.upv.es

43
Redes Inalámbricas Tema 5. Seguridad

• La tecnología 802.11 WEP y el estándar 802.11i
• Seguridad en MANET

44
Routing security vulnerabilities

• Wireless medium is easy to snoop on
• Due to ad hoc connectivity and mobility, it is
  hard to guarantee access to any particular node
  (for instance, to obtain a secret key)
• Easier for trouble-makers to insert themselves
  into a mobile ad hoc network (as compared to a
  wired network)
• Open medium
• Dynamic topology
• Distributed cooperation(absence of central
  authorities)
• Constrained capability(energy)

45
Securing Ad Hoc Networks

• Definition of Attack RFC 2828 Internet
  Security Glossary
• An assault on system security that derives from
  an intelligent threat, i.e., an intelligent act
  that is a deliberate attempt (especially in the
  sense of a method or technique) to evade security
  services and violate the security policy of the
  system.
• Goals
• Availability ensure survivability of the network
  despite denial of service attacks. The DoS can be
  targeted at any layer
• Confidentiality ensures that certain information
  is not disclosed to unauthorized entities. Eg
  Routing information information should not be
  leaked out because it can help to identify and
  locate the targets
• Integrity guarantee that a message being
  transferred is never corrupted.
• Authentication enables a node to ensure the
  identity of the nodes communicating.
• Non-Repudiation ensures that the origin of the
  message cannot deny having sent the message

46
Routing attacks

• Classification
• External attack vs. Internal attack
• External Intruder nodes can pose to be a part of
  the network injecting erroneous routes, replaying
  old information or introduce excessive traffic to
  partition the network
• Internal The nodes themselves could be
  compromised. Detection of such nodes is difficult
  since compromised nodes can generate valid
  signatures.
• Passive attack vs. Active attack
• Passive attack Attempts to learn or make use of
  information from the system but does not affect
  system resources (RFC 2828)
• Active attack Attempts to alter system
  resources or affect their operation (RFC 2828)

47
Normal Flow
Information source
Information destination
48
Passive Attacks
Sniffer
Passive attacks
Interception (confidentiality)
Release of message contents Traffic analysis
49
Sniffers

• All machines on a network can hear ongoing
  traffic
• A machine will respond only to data addressed
  specifically to it
• Network interface promiscuous mode able to
  capture all frames transmitted on the local area
  network segment
• Risks of Sniffers
• Serious security threat
• Capture confidential information
• Authentication information
• Private data
• Capture network traffic information

50
Interception
Information source
Information destination
Unauthorized party gains access to the asset
Confidentiality Example wiretapping,
unauthorized copying of files
51
Passive attacks

• Release of message contents
• Intruder is able to interpret and extract
  information being transmitted
• Highest risk authentication information
• Can be used to compromise additional system
  resources
• Traffic analysis
• Intruder is not able to interpret and extract the
  transmitted information
• Intruder is able to derive (infer) information
  from the traffic characteristics

52
Protection against passive attacks

• Shield confidential data from sniffers
  cryptography
• Disturb traffic pattern
• Traffic padding
• Onion routing
• Modern switch technology network traffic is
  directed to the destination interfaces
• Detect and eliminate sniffers

53
Active attacks
54
Interruption
Information source
Information destination
Asset is destroyed or becomes unavailable -
Availability Example destruction of hardware,
cutting communication line, disabling file
management system, etc.
55
Denial of service attack

• Adversary floods irrelevant data
• Consume network bandwidth
• Consume resource of a particular node
• E-mail bombing attack floods victims mail with
  large bogus messages
• Popular
• Free tools available
• Smurf attack
• Attacker multicast or broadcast an Internet
  Control Message Protocol (ICMP) with spoofed IP
  address of the victim system
• Each receiving system sends a respond to the
  victim
• Victims system is flooded

56
TCP SYN flooding

• Server limited number of allowed half-open
  connections
• Backlog queue
• Existing half-open connections
• Full no new connections can be established
• Time-out, reset
• Attack
• Attacker send SYN requests to server with IP
  source that unable to response to SYN-ACK
• Servers backlog queue filled
• No new connections can be established
• Keep sending SYN requests
• Does not affect
• Existing or open incoming connections
• Outgoing connections

57
Protection against DoS, DDoS

• Hard to provide full protection
• Some of the attacks can be prevented
• Filter out incoming traffic with local IP address
  as source
• Avoid established state until confirmation of
  clients identity
• Internet trace back determine the source of an
  attack

58
Modification
Information source
Information destination
Unauthorized party tampers with the asset
Integrity Example changing values of data,
altering programs, modify content of a message,
etc.
59
Attacks using modification

• Attacks using modification
• Idea
• Malicious node announces better routes than the
  other nodes in order to be inserted in the ad-hoc
  network
• How ?
• Redirection by changing the route sequence number
• Redirection with modified hop count
• Denial Of Service (DOS) attacks
• Modify the protocol fields of control messages
• Compromise the integrity of routing computation
• Cause network traffic to be dropped, redirected
  to a different destination or take a longer route

60
Attacks using modification
Redirection with modified hop count - The
node C announces to B a path with a metric value
of one - The intruder announces to B a path
with a metric value of one too - B decides
which path is the best by looking into the hop
count value of each route

Metric 1 and 3 hops
Metric 1 and 1 hop
61
Attacks using modification

• Denial Of Service (DOS) attacks with modified
  source routes
• A malicious node is inserted in the network
• The malicious node changes packet headers it
  receives
• The packets will not reach the destination
• The transmission is aborted

Intruder I decapsulates packets, change the
header A-B-I-C-E
Node A sends packets with header (route cache to
reach node E) A-B-I-C-D-E
Node C has no direct route with E, also the
packets are dropped
Intruder I
62
Fabrication
Information source
Information destination
Unauthorized party insets counterfeit object into
the system Authenticity Example insertion of
offending messages, addition of records to a
file, etc.
63
Attacks using fabrication

• Attacks using fabrication
• Idea
• Generates traffic to disturb the good operation
  of an ad-hoc network
• How ?
• Falsifying route error messages
• Corrupting routing state
• Routing table overflow attack
• Replay attack
• Black hole attack

64
Attacks using fabrication

• Falsifying route error messages
• When a node moves, the closest node sends error
  message to the others
• A malicious node can usurp the identity of
  another node (e.g. By using spoofing) and sends
  error messages to the others
• The other nodes update their routing tables with
  these bad information
• The victim node is isolated

65
Attacks using fabrication

• Corrupting routing state
• In DSR, routes can be learned from promiscuously
  received packets
• A node should add the routing information
  contained in each packets header it overhears
• A hacker can easily broadcast a message with a
  spoofed IP address such as the other nodes add
  this new route to reach a special node S
• Its the malicious node which will receive the
  packets intended to S.

66
Attacks using fabrication

• Routing table overflow attack
• Available in pro-active protocols.
• These protocols try to find routing information
  before they are needed
• A hacker can send in the network a lot of route
  to non-existent nodes until overwhelm the
  protocol

67
Attacks using fabrication

• Replay attack
• A hacker sends old advertisements to a node
• The node updates its routing table with stale
  routes
• Black hole attack
• A hacker advertises a zero metric route for all
  destinations
• All the nodes around it will route packets
  towards it

68
Attacks using impersonation

• Attacks using impersonation
• Idea
• Usurpates the identity of another node to perform
  changes
• How ?
• Spoofing MAC address of other nodes

69
Attacks using impersonation

• Forming loops by spoofing MAC address
• A malicious node M can listen all the nodes when
  the others nodes can only listen their closest
  neighbors
• Node M first changes its MAC address to the MAC
  address of the node A
• Node M moves closer to node B than node A is, and
  stays out of range of node A
• Node M announces node B a shorter path to reach X
  than the node D gives

A
C
M
B
D
E
X
70
Attacks using impersonation

• Forming loops by spoofing MAC address
• Node B changes its path to reach X
• Packets will be sent first to node A
• Node M moves closer to node D than node B is, and
  stays out of range of node B
• Node M announces node D a shorter path to reach X
  than the node E gives

71
Attacks using impersonation

• Forming loops by spoofing MAC address
• Node D changes its path to reach X
• Packets will be sent first to node B
• X is now unreachable because of the loop formed

A
C
M
B
D
E
X
72
Other Routing attacks

• Attacks for routing
• Wormhole attack (tunneling)
• Invisible node attack
• The Sybil attack
• Rushing attack
• Non-cooperation

73
Wormhole attack

• Colluding attackers uses tunnels between them
  to forward packets
• Place the attacker in a very powerful position
• The attackers take control of the route by
  claiming a shorter path

tunnel
N
...
M
D
C
S
B
A
74
Invisible node attack

• Attack on DSR
• Malicious does not append its IP address
• M becomes invisible on the path

C
M
B
S
D
75
The Sybil attack

• Represents multiple identities
• Disrupt geographic and multi-path routing

B
M1
M5
M2
M4
M3
76
Rushing attack

• Directed against on-demand routing protocols
• The attacker hurries route request packet to the
  next node to increase the probability of being
  included in a route

77
Non-cooperation

• Node lack of cooperation, not participate in
  routing or packet forwarding
• Node selfishness, save energy for itself

78
Redes Inalámbricas Tema 5. Seguridad

• La tecnología 802.11 WEP y el estándar 802.11i
• Seguridad en MANET
• Algunas soluciones

79
TESLA Overview

• Broadcast authentication protocol used here for
  authenticating routing messages
• Efficient and adds only a single message
  authentication code (MAC) to a message
• Requires asymmetric primitive to prevent others
  from forging MAC
• TESLA achieves asymmetry through clock
  synchronization and delayed key disclosure

80
TESLA Overview (cont.)

• Each sender splits the time into intervals
• It then chooses random initial key (KN)
• Generates one-way key chain through repeated use
  of a one-way hash function (generating one key
  per time interval)
• KN-1HKN, KN-2HKN-1
• These keys are used in reverse order of
  generation
• 4. The sender discloses the keys based on the
  time intervals

81
TESLA Overview (cont.)

• Sender attaches MAC to each packet
• Computed over the packets contents
• Sender determines time interval and uses
  corresponding value from one-way key chain
• With the packet, the sender also sends the most
  recent disclosable one-way chain value
• Receiver knows the key disclosing schedule
• Checks that the key used to compute the MAC is
  still secret by determining that the sender could
  not have disclosed it yet
• As long as the key is still secret, the receiver
  buffers the packet
• When the key is disclosed, receiver checks its
  correctness (through self-authentication) and
  authenticates the buffered packets

82
Assumptions

• Of the network
• Network links are bidirectional
• The network may drop, corrupt, reorder or
  duplicate packets
• Each node must be able to estimate the end-to-end
  transmission time to any other node in the
  network
• Disregard physical attacks and Medium Access
  Control attacks
• Of the nodes
• Resources of nodes may vary greatly, so Ariadne
  assumes constrained nodes
• All nodes have loosely synchronized clocks

83
Security Assumptions

• Three authentication mechanism possibilities
• Pairwise secret keys (requires n(n1)/2 keys)
• TESLA (shared keys between all source-destination
  pairs)
• Digital signatures (requires powerful nodes)

84
Key Setup

• Shared secret keys
• Key distribution center
• Bootstrapping from a Public Key Infrastructure
• Pre-loading at initialization
• Initial TESLA keys
• Embed at initialization
• Assume PKI and embed Certifications Authoritys
  public key at each node

85
Ariadne Overview

• Authenticate routing messages using one of
• Shared secrets between each pair of nodes
• Avoids need for synchronization
• Shared secrets between communicating nodes
  combined with broadcast authentication
• Requires loose time synchronization
• Allows additional protocol optimizations
• Digital signatures

86
Ariadne Notation

• A and B are principals (e.g., communicating
  nodes)
• KAB and KBA are secret MAC keys shared between A
  and B
• MACKAB(M) is computation of MAC of message M
  using key KAB

87
Route Discovery

• Assume sender and receiver share secret
  (non-TESLA) keys for message authentication
• Target authenticates ROUTE REQUESTS
• Initiator includes a MAC computed with end-to-end
  key
• Target verifies authenticity and freshness of
  request using shared key
• Data authentication using TESLA keys
• Each hop authenticates new information in the
  REQUEST
• Target buffers REPLY until intermediate nodes
  release TESLA keys
• TESLA security condition is verified at the
  target
• Target includes a MAC in the REPLY to certify the
  condition was met
• Attacker can remove a node from node list in a
  REQUEST
• One-way hash functions verify that no hop was
  omitted (per-hop hashing)

88
Route Discovery (cont.)

• Assume all nodes know an authentic key of the
  TESLA one-way key chain of every other node
• Securing ROUTE REQUEST
• Target can authenticate the sender (using their
  additional shared key)
• Initiator can authenticate each path entry using
  intermediate TESLA keys
• No intermediate node can remove any other node in
  the REQUEST or REPLY

89
Route Discovery (cont.)

• Upon receiving ROUTE REQUEST, a node
• Processes the request only if it is new
• Processes the request only if the time interval
  is valid (not too far in the future, but not for
  an already disclosed TESLA key)
• Modifies the request and rebroadcasts it
• Appends its address to the node list, replaces
  the hash chain with HA, hash chain, appends MAC
  of entire REQUEST to MAC list using KAi where i
  is the index for the time interval specified in
  the REQUEST

90
Route Discovery (cont.)

• When the target receives the route request
• Checks the validity of the REQUEST (determining
  that the keys from the time interval have not
  been disclosed yet and that hash chain is
  correct)
• Returns ROUTE REPLY containing eight fields
• ROUTE REPLY, target, initiator, time interval,
  node list, MAC list
• target MAC MAC computed over above fields with
  key shared between target and initiator
• key list disclosable MAC keys of nodes along the
  path

91
Route Discovery (cont.)

• Node forwarding ROUTE REPLY
• Waits until it can disclose TESLA key from
  specified interval
• Appends that key to the key list
• This waiting does delay the return of the ROUTE
  REPLY but does not consume extra computational
  power

92
Route Discovery (cont.)

• When initiator receives ROUTE REPLY
• Verifies each key in the key list is valid
• Verifies that the target MAC is valid
• Verifies that each MAC in the MAC list is valid
  using the TESLA keys

93
Route Maintenance

• Based on DSR
• Node forwarding a packet to the next hop returns
  a ROUTE ERROR to the original sender
• Prevent unauthorized nodes from sending errors,
  we require errors to be authenticated by the
  sender

94
Route Maintenance

• Errors are propagated just as regular data
  packets
• Intermediate nodes remove routes that use the bad
  link
• Sending node continues to send data packets along
  the route until error is validated
• Generates additional errors, which are all
  cleaned up when the error is finally validated

95
Anonymous Communication

• Sometimes security requirement may include
  anonymity
• Availability of an authentic key is not enough to
  prevent traffic analysis
• We may want to hide the source or the destination
  of a packet, or simply the amount of traffic
  between a given pair of nodes

96
Traffic Analysis

• Traditional approaches for anonymous
  communication, for instance, based on MIX nodes
  or dummy traffic insertion, can be used in
  wireless ad hoc networks as well
• However, it is possible to develop new approaches
  considering the broadcast nature of the wireless
  channel

97
Mix Nodes

• Mix nodes can reorder packets from different
  flows, insert dummy packets, or delay packets, to
  reduce correlation between packets in and packets
  out

G
D
M3
C
M1
B
M2
E
F
A
98
Mix Nodes

• Node A wants to send message M to node G. Node A
  chooses 2 Mix nodes (in general n mix nodes),
  say, M1 and M2

G
D
M3
C
M1
B
M2
E
F
A
99
Mix Nodes

• Node A transmits to M1message K1(R1, K2(R2, M))
  where Ki() denotes encryption using public key
  Ki of Mix i, and Ri is a random number

G
D
M3
C
M1
B
M2
E
F
A
100
Mix Nodes

• M1 recovers K2(R2,M) and send to M2

G
D
M3
C
M1
B
M2
E
F
A
101
Mix Nodes

• M2 recovers M and sends to G

G
D
M3
C
M1
B
M2
E
F
A
102
Mix Nodes

• If M is encrypted by a secret key, no one other
  than G or A can know M
• Since M1 and M2 mix traffic, observers cannot
  determine the source-destination pair without
  compromising M1 and M2 both

103
Alternative Mix Nodes

• Suppose A uses M2 and M3 (not M1 and M2)
• ? Need to take fewer hops
• Choice of mix nodes affects overhead

G
D
M3
C
M1
B
M2
E
F
A
104
Mix Node Selection

• Intelligent selection of mix nodes can reduce
  overhead
• With mobility, the choice of mix nodes may have
  to be modified to reduce cost
• However, change of mix selection has the
  potential for divulging more information