Upload
afadlallah
View
226
Download
0
Embed Size (px)
Citation preview
8/10/2019 CS549 Chapter 13 Notes
1/25
Cryptography and Network Security 1
CS549:Cryptography and NetworkSecurity
by Xiang-Yang Li
Department of Computer Science,IIT
8/10/2019 CS549 Chapter 13 Notes
2/25
Cryptography and Network Security 2
Notice
This lecture note (Cryptography and Network Security) is prepared byXiang-Yang Li. This lecture note has benefited from numeroustextbooks and online materials. Especially the Cryptography andNetwork Security 2nd edition by William Stallings and theCryptography: Theory and Practice by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivativeworks from, distribute, perform, display, or in any way exploit anyof the content, in whole or in part, except as otherwise expresslypermitted by the author.
The author has used his best efforts in preparing this lecture note.The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecturenote. The author shall not be liable in any event for incidental orconsequential damages in connection with, or arising out of, thefurnishing, performance, or use of these.
8/10/2019 CS549 Chapter 13 Notes
3/25
Cryptography and Network Security 3
Cryptography & Network Security
Wireless LAN SecurityRoad to 802.11i
Xiangyang Li
8/10/2019 CS549 Chapter 13 Notes
4/25
Cryptography and Network Security 4
Contents
Introduction Problem: 802.11b Not Secure! Wired Equivalent Privacy WEP Types of Attacks
802.11b Proposed Solutions 802.1X Wi-Fi Protected Access (WPA) 802.11i: The Solution
Conclusion
8/10/2019 CS549 Chapter 13 Notes
5/25
Cryptography and Network Security 5
Introduction
Popular in offices, homes and public spaces(airport, coffee shop)
Most popular: 802.11b Example: Yahoo! DSL Wireless Kit
Theoretical max @ 11Mbps
Operate at 2.4GHz band
DSSS/FSSS modulationsimilar to CDMA phones
8/10/2019 CS549 Chapter 13 Notes
6/25
Cryptography and Network Security 6
Introduction
Standards: IEEE 802.11 Series 802.11b11Mbps @ 2.4GHz
802.11a54Mbps @ 5.7GHz band
802.11g54Mbps @ 2.4GHz band 802.1Xsecurity add-on
802.11i high security
8/10/2019 CS549 Chapter 13 Notes
7/25
Cryptography and Network Security 7
Problem: 802.11b Not Secure!
No inherent security WiredWireless media change was the objective
Wired Equivalent Privacy (WEP) The only security built into 802.11
Uses RC4 Stream Cipherin a bad way
Vulnerable to several types of attacks
Sometimes not even turned ON
8/10/2019 CS549 Chapter 13 Notes
8/25
8/10/2019 CS549 Chapter 13 Notes
9/25
Cryptography and Network Security 9
Wired Equivalent Privacy WEP
RC4 Key Stream Encryption (source:
http://mason.gmu.edu/~gharm/wireless.html)
8/10/2019 CS549 Chapter 13 Notes
10/25
Cryptography and Network Security 10
Types of Attacks
AttacksConfidentiality
Integrity
Availability
8/10/2019 CS549 Chapter 13 Notes
11/25
Cryptography and Network Security 11
Types of Attacks
Attacks on Confidentiality Traffic Analysis
Passive Eavesdropping
Very easy to do Active Eavesdropping
Unauthorized Access
8/10/2019 CS549 Chapter 13 Notes
12/25
Cryptography and Network Security 12
Types of Attacks
Attacks on Confidentiality and/orIntegrity Man-In-The-Middle
Attacks on Integrity Session Hijacking
Replay
Attacks on Availability Denial of Service
8/10/2019 CS549 Chapter 13 Notes
13/25
Cryptography and Network Security 13
802.11b Proposed Solutions
Virtual Private Network
Closed Network Through the use of SSID
Ethernet MAC address control lists Replace RC4 with block cipher
Dont reuse IV
Automatic Key Assignment
8/10/2019 CS549 Chapter 13 Notes
14/25
Cryptography and Network Security 14
802.1X: Interim Solution
Port-based authenticationNot specific to wireless networks
Authentication servers RADIUS
Client authentication EAP
8/10/2019 CS549 Chapter 13 Notes
15/25
Cryptography and Network Security 15
802.1X Problems
802.1X still has problems Extensible Authentication Protocol (EAP)
One-way authentication
Attacks Man-in-Middle
Session Hijacking
8/10/2019 CS549 Chapter 13 Notes
16/25
Cryptography and Network Security 16
802.1X Proposed Solutions
Per-packet authenticity and integrity Lots of overhead
Authenticity and integrity of EAPOL
messages Two-way authentication
8/10/2019 CS549 Chapter 13 Notes
17/25
Cryptography and Network Security 17
Wi-Fi Protected Access (WPA)
Addresses issues with WEP Key management
TKIP
Key expansion Message Integrity Check
Software upgrade only
Compatible with 802.1X
Compatible with 802.11i
8/10/2019 CS549 Chapter 13 Notes
18/25
Cryptography and Network Security 18
802.11i
Finalized: June, 2004
Robust Security Network
Wi-Fi Alliance: WPA2
Improvements made Authentication enhanced
Key Management created
Data Transfer security enhanced
8/10/2019 CS549 Chapter 13 Notes
19/25
Cryptography and Network Security 19
802.11i - Authentication
Authentication Server
Two-way authentication Prevents man-in-the-middle attacks
Master Key (MK)
Pairwise Master Key (PMK)
8/10/2019 CS549 Chapter 13 Notes
20/25
Cryptography and Network Security 20
802.11i Key Management
Key Types Pairwise Transient Key
Key Confirmation Key
Key Encryption Key Group Transient Key
Temporal Key
8/10/2019 CS549 Chapter 13 Notes
21/25
Cryptography and Network Security 21
802.11i Key Management
Source: http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf
mailto:[email protected]:[email protected]:[email protected]:[email protected]8/10/2019 CS549 Chapter 13 Notes
22/25
Cryptography and Network Security 22
802.11i Data Transfer
CCMP Long term solutionmandatory for 802.11i
compliance
Latest AES encryption Requires hardware upgrades
WRAP Provided for early vendor support
TKIP Carried over from WPA
8/10/2019 CS549 Chapter 13 Notes
23/25
Cryptography and Network Security 23
802.11i Additional Enhancements
Pre-authentication Roaming clients
Client Validation
Password-to-key mappings Random number generation
8/10/2019 CS549 Chapter 13 Notes
24/25
Cryptography and Network Security 24
Conclusion
Basic 802.11b (with WEP) Massive security holes
Easily attacked
802.1X Good interim solution
Allows use of existing hardware
Can still be attacked
8/10/2019 CS549 Chapter 13 Notes
25/25
Cryptography and Network Security 25
Conclusion
Wi-Fi Protected Access Allows use of existing hardware
Compatible with 802.1X
Compatible with 802.11i 802.11i
May require hardware upgrades
Very secure
Nothing is ever guaranteed