[信息与通信]WLAN与Cellular安全机制探讨.ppt

1,WLAN與Cellular安全機制探討,宋振華博士 .tw 工研院電通所,2,Outline,Current Status of WLANs Deployment WLANs Network Security 802.11, Attack WLANs Security Architecture 802.1x, EAP-TLS , EAP-SIM WPA, 802.11i Upcoming WLAN/Cellular Integration Security Integration Architecture Conclusion Q&A,3,PWLAN : Crossing the Chasm?,Source : “WLAN in the Era of 3G” Xinli Hou Ericsson 2003.07.09,4,行動通訊 手機普及率 106% 世界第一(2002) WLAN產量全球市佔率高達 80%，產值佔全球 30% (2002)(產值與產量不成正比，賺辛苦錢!) 雙網應用整合發展計畫規劃 提昇生產製造優勢，加強高附加價值應用服務 藉由雙網應用整合發展計畫，培養國內業者建立整體解決方案能力 手機 WLAN and Cellular 整合 創造雙網應用服務,2002,世界製造,市場佔有率,WLAN,1,8,0%,台灣發展Cellular/WLAN雙網服務利基,5,Cellular/WLAN Integration Solution,GGSN,Cellular Network,SGSN,HLR,Internet,AP,AP,Public WLAN,(GSM/GPRS/WLAN) & WLAN card,Loose coupling Integration starting at the IP layer,6,Cellular與 WLAN各有所長,2.5G -數據 (GPRS, cdmaOne),2G- 語音 (GSM, PDC, IS-95),3G-多媒體 (W-CDMA, cdma2000),系 統 說 明,Voice、Circuit Data (14.4kbps) Macro/Micro cell GSM, PDC, IS-95,Voice 、Packet Data (Up to 115kbps) Macro/Micro/Pico cell GPRS, IS-95B,Multimedia(Up to 2Mbps) Macro/Micro/Pico/Spot cell W-CDMA, cdma2000,資料來源：工研院IEK( 2003/03),Cellular - Wide area coverage, voice & narrow-band data services WLAN - High-bandwidth wireless but in specific location, Low-cost deployment,Cellular及 WLAN 各有所長，兩者可以互補 WLAN有助改變消費者行為，刺激隨處快速存取數據及 3G service的需求 Operator業者結合WLAN，可搶佔高速傳輸市場 Hot Spot - Wi-Fi City - 雙網,7,WLAN/Cellular Integration商機 - Service,Operator業者可提供傳輸語音與上網的服務,行動電話使用者,網際網路使用者,使用行動電話與網際網路的使用者,GPRS/3G之原有大餅,Keep,語音 使用者,資料+語音使用者,Cellular Operator 業者之用戶,WLAN進入,GPRS/3G加上PWLAN 對原有客戶之之大餅,網際網路使用者,資料來源：工研院IEK (2002/12),新客戶,GPRS/3G加上PWLAN 對新、舊客戶之之大餅,8,全球Cellular + WLAN進展 - 各國應用Cellular + WLAN 案例 - 各國推廣 PWLAN 進展,9,各國目前發展PWLAN情況,資料來源：工研院 IEK, 2003/06,10,Digital Content Program,1.無線上網點：2003年中約700處。 2.用戶數： WLAN發卡數已超過100萬張，但實際達成漫遊者接近 0。 3.台灣WLAN設備製造全球第一，市佔率超過8成。 4.目前已利用主導性新產品開發計畫等，促使WLAN設備之零組件國產化。 5.台灣有全球最強的設備製造能力， 若能加強應用及Content 能力台灣將擁有完整整體解決方案。 6. 網路服務整合Cellular與WLAN,設備 製造,晶片設計 /製造,系統 整合,服務 業者,揚智、上元、威盛、 瑞昱、益勤、鎵葳、 亞信、聯發、工研院,正文、亞旭、智捷、 環隆、建漢、友訊 中華電訊、智邦 明基電通、晶訊 神腦、突破、陽慶,全球領航、傳易科技 傳象科技、華電聯網 弘運科技、士恆資訊 ,曜正、 Hinet、蕃薯藤、東信、遠傳 億聯科技,Content,我國發展PWLAN現況,工研院IEK (2003/06),11,12,PWLAN 成功關鍵因素分析,開發具地方特色之應用及內容,示範應用區建立,具競爭力之 商業營運模式,系統整合業者,設備提供者,WLAN漫遊,上網及安全機制是否恰當,總入口網站建置與維護,宣導推廣與成果展示,Cellular & WLAN網路漫遊認證,作業管理機制,建立漫遊機制與平台,13,Security Issues of WLAN,Current Status of WLANs Deployment WLANs Network Security 802.11, Attack WLANs Security Architecture 802.1x, EAP-TLS , EAP-SIM WPA, 802.11i Upcoming WLAN/Cellular Integration Security Integration Architecture Conclusion,14,WLAN/Cellular Integration挑戰,行動電話服務業者的態度,硬體類 PDA 或Notebook等可攜式產品價格降低 整合GSM/GPRS/WLAN功能且具有SIM卡的 WLAN售價降低 Technology Development,消費者被適當的教育 Education Programs Regulatory Body Government Initiatives,軟體類 軟體業者提供相關 線上遊戲等加值軟體,資料來源：工研院IEK (2002/12),Service Providers,Equipment Manufacturers,Customers & others,Content Providers,Service Trials,Competitive Billing,DRM Support,15,WLAN/Cellular Integration 挑戰,Power Consumption Handoff & Roaming Security (Authentication, Authorization) DRM Billing QoS System Interface.,Business Models Global Roaming Agreement Relationship among WISP, Network Providers, Content Providers Service Charge Customer Habit.,技術面,商業面,16,Security Issues of WLAN,Current Status of WLANs Deployment WLANs Network Security 802.11, Attack WLANs Security Architecture 802.1x, EAP-TLS , EAP-SIM WPA, 802.11i Upcoming WLAN/Cellular Integration Security Integration Architecture Conclusion,17,WLAN Security,論文簡述及發表時間,WLAN has encryption, authentication and system security problem WLAN最根本的問題為使用“分享靜態的金鑰”的認證方式,18,WLAN安全標準發展現狀,Time,WPA,WPA v.2,19,Background,WLAN using ISM (Industry Scientific and Medical) band Unlicensed 2.4 GHz IEEE 802.11b 11 Mbps (22 Mbps) 1999 5.8 GHz IEEE 802.11a 54 Mbps (72 Mbps) 2001 2.4 GHz IEEE 802.11g 54 Mbps 2003 WLAN standards 802.11b 802.11g is good for security 802.11a,11 MPS,2.4GHZ,WPA(incompatible 11i),30-75m,54 MPS,2.4GHZ,WPA(compatible 11i),30-75m,compatible 11b,54 MPS,5.8GHZ,WPA(incompatible 11i),30-75m,incompatible 11b,20,802.11 basic,Association must be done before data transmission The association process has three states,De Authentication,21,802.11 basic(cont.),Association process Find AP AP send beacon containing SSID periodically or Client send probe request to find AP that is using a desired SSID Authentication Open system, or pre share secret MAC address list Client send association request & receive response Send data,22,802.11 basic(cont.),Authentication Open System Authenticate using SSID Pre share secret Encrypt challenge using pre share secret as a key Access Point uses “challenge and response” method to auth client.,23,802.11 basic(cont.),Access List,00:02:03:04:05:06,Office intranet,01:02:03:04:05:07,01:02:03:04:05:65,00:02:03:04:05:06,Setup an access table manually,02:02:03:04:05:07,reject,accept,24,Some Known Attacks of WLAN Environment(1),Information Exposure Brute-Force SSID Denial of service Session Hijacking Man-in-the-middle attack,25,Some Known Attacks of WLAN Environment (2),Information Exposure What can we see in an APs Configuration Service Set Identifier (SSID) Channel Strength WEP Status APs MAC Address Attackers can use these message to get what they want,26,Information Exposure Example,Some Known Attacks of WLAN Environment (3),27,Some Known Attacks of WLAN Environment (4),Brute-Force SSID,Try Default SSID, such as： tsunami - Cisco 101 3Com Compaq - Compaq WLAN Addtron intel - Intel “linksys Linksys Wireless or Default Use Brute-force Dictionary Attack,28,Some Known Attacks of WLAN Environment (5),Denial of Service Using the flaw of the 802.11 protocol (De-authentication frames) Use MAC address of Access Point Send deauthenticate frames Send continuously Send to broadcast address Users are unable to reassociate with AP,29,Some Known Attacks of WLAN Environment (6),Session Hijacking,Switch,Server 00:01:02:03:04:05,Victim 0 05:04:03:02:01:00,Victims ARP Table IP | MAC | 00:01:02:03:04:05,Servers ARP Table IP | MAC 0 | 05:04:03:02:01:00,30,Some Known Attacks of WLAN Environment (7),Man-in-the-Middle,Communicate,ESSID=CISCO AP MAC=00:01:02:03:04:05,MAC=E1:3B:D3:78:D5:43,Victim,31,Security Issues in Enterprise and Public WLAN Environment (1),Enterprise environment Physical AP Control(connect to intra directly !?) Authorization at AP Authentication WEB page is on Gateway,32,Security Issues in Enterprise and Public WLAN Environment (2),Public environment APs at insecure environment(forge APs ) Seldom WEP Encryption Authorization at AP or Gateway,Authentication,Authorization,Seldom WEP Encryption,Centralized AAA,AAA servers,Gateway,Public Network,ISP network,Office,Insecure environment,secure environment,33,Enhanced WLAN access methods needed,Link-layer enhancements Authentication Web-based authentication (for public WLAN) 802.1x-based authentication (for office/public WLAN) Encryption Frequent key exchange TKIP (long IV, MD5 in key scheduling, MIC) AES-OCB (combined encryption and MIC) IP-layer enhancement IPsec over WLAN,34,Security Issues in Enterprise and Public WLAN Environment (3),Problem statement Authentication interface WEB base Manage WEP keys by manually. It is not suitable for large scale office Seldom WEP Encrypt in Public WLAN Authentication WEB page is on Gateway Do not install another client software. User need to input id & passwd when he/she connect to network. 802.1x base Do not need user interface when user want to associate to WLAN network. It is suitable for 3G-WLAN integrating. Authentication & key management with AAA(802.1x) Dynamic key exchange Used in RSN(Robust Security Network) which is the long term security architecture proposed by IEEE.,35,Counter-measure,Prevention WLAN Scanner unified log collection system Detection Mis-configuration Detection Layer-2 IDS Secure Sensor Threat and Weakness Detection of Log system Protection Firewall 過濾非法連線 VPN 建立點對點間的加密連線 WLAN 802.1x, 802.11i 利用身份認證措施防止非法入侵行為 安全度較高之密碼演算法(RC4-AES,TKIP),36,Security Issues of WLAN,Current Status of WLANs Deployment WLANs Network Security 802.11, Attack WLANs Security Architecture 802.1x, EAP-TLS, EAP-SIM WPA, 802.11i Upcoming WLAN/Cellular Integration Security Integration Architecture Conclusion,37,WLAN Security Architecture (1),802.1x standard To restrict access to the service offered by a LAN to those users and devices. May be used by all 802.x networks Define port base access control Do not have any mention for key management Left for vendor implementation (EAP-TLS v.s EAP-MD5) Can use any EAP (RFC 2284) method installed on an AAA server,38,WLAN Security Architecture(2),802.1x architecture,Supplicant,Authentication Server,Authenticator,Supplicant Ethernet(802.3) WLAN(802.11),Authenticator Ethernet(802.3) WLAN(802.11), AP,AAA RADIUS Diameter,After authentication then port opens.,EAPOL(over lan),EAP in RADIUS,39,WLAN Security Architecture(3),802.1x authentication 802.1x requires EAP, Extensible Authentication Protocol EAP has four main authentication protocols MD5 Cisco LEAP EAP-TLS EAP-TTLS and PEAP (TTLS & PEAP use certificates to authenticate server side, but TTLS client login using password) All but MD5 use 128 bit keys,40,WLAN Security Architecture(4),802.1x authentication protocols compare,備註:EAP-SIM is only draft,41,WLAN Security Architecture (5),EAP-XXX There are many EAP authentication protocols proposed in 802.1x. Which protocols are survival ? Which protocols do we follow ?,Type Description Reference Implemented? Spec Available? - - - - - 1 Identity RFC2284 Yes RFC 2284 2 Notification RFC2284 Yes RFC 2284 3 NAK (Response only) RFC2284 Yes RFC 2284 4 MD5-Challenge RFC2284 Yes RFC 2284 5 One Time Password (OTP) RFC2284 No RFC 2284 6 Generic Token Card RFC2284 No RFC 2284 7 EAP-sim yes I-D 8 No No 9 RSA Public Key Authentication Whelan No Expired 10 DSS Unilateral Nace Yes I-D? 11 KEA Nace Yes I-D? 12 KEA-Validate Nace Yes I-D? 13 EAP-TLS Aboba Yes RFC 2716 14 Defender Token (AXENT) Roselli Yes No 15 Windows 2000 EAP Asnes ? No 16 Arcot Systems EAP Jerdonek ? No 17 EAP-Cisco Wireless Norman Yes No 18 Nokia IP smart card auth Haverinen ? No 19 SRP-SHA1 Part 1 Carlson Yes I-D 20 SRP-SHA1 Part 2 Carlson No I-D 21 EAP-TTLS Funk Yes I-D 22 Remote Access Service Fields ? No 23 UMTS Auth and Key agreement Haverinen ? ? 24 EAP-3Com Wireless Young Yes No 25 PEAP Palekar Yes I-D,42,WLAN Security Architecture (6) - PKI based PWLAN,EAP-TLS (cert. based),VA資料由各WISP隨時更新, 由Roaming Center放入VA system VA 角色就像Broker AAA,43,WLAN Security Architecture (7) - Roaming Model for PKI Architecture,EAP-TLS (cert. based),44,WLAN Security Architecture (8) SIM authentication for 1x/11i terminal,45,WLAN Security Architecture (9) IETF 3GPP: EAP-SIM 認證程序,46,WLAN Security Architecture (10) EAP-SIM,Mechanism: symmetric secret keys distributed on GSM SIM cards, GSM A3 and A8 algorithms Mutual authentication Key derivation supported 128-bit keys If the same SIM is used in GSM and GPRS, then effective key length may be reduced to 64 bits with attacks over GSM/GPRS Not vulnerable to dictionary attacks Identity privacy with pseudonyms, identity string integrity protected Because EAP SIM is not a tunnelling method, it does not protect EAP method negotiation, EAP notifications, EAP success, EAP failure No ciphersuite negotiation Fast reconnect supported (called “re-authentication” in EAP SIM),EAP-SIM for Cellular SIM card,47,WLAN Security Architecture (11) EAP related Authentication,Which EAP authentication method will be chosen Necessary conditions Mutual authentication Dynamic key exchange PKI v.s. SIM PKI base EAP protocols are current standards, such as EAP-TLS. SIM base EAP protocols are standard drafts, such as EAP-SIM. The key point is the customer base,48,WLAN Security Architecture (12),RSN(802.11i) IEEE has proposed a long-term security architecture for 802.11 WLAN which they call the Robust Security Network (RSN) IEEE is finalizing the new standard 802.11i, which includes: 802.1x port-based authentication Temporal Key Integrity Protocol (TKIP) Advanced Encryption Standard (AES) Key hierarchy and management features Cipher and authentication negotiation,49,WLAN Security Architecture (13),RSN and WPA(Wi-Fi Protected Access) WPA uses currently available techniques with good performance 802.11i will be WPA version 2 WPA version 1 includes all but AES: 802.1x port-based authentication(?) Temporal Key Integrity Protocol (TKIP) Key hierarchy and management features Cipher and authentication negotiation WPA specifies two forms of authentication 802.1x/RADIUS Pre-shared key(Generate Session Key),50,Security Issues of WLAN,Current Status of WLANs Deployment WLANs Network Security 802.11, Attack WLANs Security Architecture 802.1x, EAP-TLS WPA, 802.11i Upcoming WLAN/Cellular Integration Security Integration Architecture Conclusion,51,Integration Architecture (1),Seamless Mobility in 3G-WLAN proposed by 3GPP,3G Network,Other IP network,Hot Spot 802.11i ENV,FA,3G RAN,Public Network,3G RAN,Core network,FA/HA,No need for user interaction when moving between Mobile-IP enabled networks,Dual-mode terminal / Mobile IP client,: 3G access