Presentation is loading. Please wait.

Presentation is loading. Please wait.

MAC Layer Security.

Similar presentations

Presentation on theme: "MAC Layer Security."— Presentation transcript:

1 MAC Layer Security

2 Outline MAC Basics MAC Layer Security in Wired Networks
MAC Layer Security in Wireless Networks

3 Multiple Access Links and Protocols
Three types of “links”: Point-to-point (single wire, e.g. PPP, SLIP) Broadcast (shared wire or medium; e.g, Ethernet, Wavelan, etc.) Switched (e.g., switched Ethernet, ATM etc)

4 Multiple Access protocols
Single shared communication channel Two or more simultaneous transmissions by nodes: interference Only one node can send successfully at a time Multiple access protocol: Distributed algorithm that determines how stations share channel, i.e., determine when station can transmit Communication about channel sharing must use channel itself! What to look for in multiple access protocols: Synchronous or asynchronous Information needed about other stations Robustness (e.g., to channel errors) Performance

5 MAC Protocols: a taxonomy
Three broad classes: Channel Partitioning TDMA: time division multiple access FDMA: frequency division multiple access CDMA (Code Division Multiple Access) Read! Random Access Allow collisions “Recover” from collisions “Taking turns” Tightly coordinate shared access to avoid collisions Goal: efficient, fair, simple, decentralized

6 Random Access protocols
When node has packet to send Transmit at full channel data rate R. No a priori coordination among nodes Two or more transmitting nodes -> “collision”, Random access MAC protocol specifies: How to detect collisions How to recover from collisions (e.g., via delayed retransmissions) Examples of random access MAC protocols: Slotted ALOHA and ALOHA CSMA and CSMA/CD

7 CSMA: Carrier Sense Multiple Access)
CSMA: listen before transmit: If channel sensed idle: transmit entire pkt If channel sensed busy, defer transmission Persistent CSMA: retry immediately with probability p when channel becomes idle (may cause instability) Non-persistent CSMA: retry after random interval Human analogy: don’t interrupt others!

8 CSMA collisions Collisions can occur: Collision: Note:
Spatial layout of nodes along Ethernet Collisions can occur: Propagation delay means two nodes may not year hear each other’s transmission Collision: Entire packet transmission time wasted Note: Role of distance and propagation delay in determining collision prob.

9 CSMA/CD (Collision Detection)
CSMA/CD: Carrier sensing, deferral as in CSMA Collisions detected within short time Colliding transmissions aborted, reducing channel wastage Persistent or non-persistent retransmission Collision detection: Easy in wired LANs: measure signal strengths, compare transmitted, received signals Difficult in wireless LANs: receiver shut off while transmitting Human analogy: Polite conversationalist

10 CSMA/CD collision detection

11 “Taking Turns” MAC protocols
Channel partitioning MAC protocols: Share channel efficiently at high load Inefficient at low load: delay in channel access, 1/N bandwidth allocated even if only 1 active node! Random access MAC protocols Efficient at low load: single node can fully utilize channel High load: collision overhead “Taking turns” protocols Look for best of both worlds!

12 “Taking Turns” MAC protocols
Token passing: Control token passed from one node to next sequentially. Token message Toncerns: token overhead latency single point of failure (token) Polling: Master node “invites” slave nodes to transmit in turn Request to Send, Clear to Send msgs Concerns: Polling overhead Latency Single point of failure (master)

13 Summary of MAC protocols
What do you do with a shared media? Channel Partitioning, by time, frequency or code Time Division,Code Division, Frequency Division Random partitioning (dynamic), ALOHA, S-ALOHA, CSMA, CSMA/CD Carrier sensing: easy in some technologies (wire), hard in others (wireless) CSMA/CD used in Ethernet Taking Turns Polling from a central cite, token passing

14 LAN Addresses and ARP 32-bit IP address:
Network-layer address Used to get datagram to destination network (recall IP network definition) LAN (or MAC or physical) address: Used to get datagram from one interface to another physically-connected interface (same network) 48 bit MAC address (for most LANs) burned in the adapter ROM

15 LAN Addresses and ARP Each adapter on LAN has unique LAN address

16 LAN Address (more) MAC address allocation administered by IEEE
Manufacturer buys portion of MAC address space (to assure uniqueness) Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address MAC flat address ⟹ portability Can move LAN card from one LAN to another IP hierarchical address NOT portable Depends on network to which one attaches

17 Recall earlier routing discussion
Starting at A, given IP datagram addressed to B: Look up net. address of B, find B on same net. as A Link layer send datagram to B inside link-layer frame A B E Frame source, dest address Datagram source, dest address B’s MAC addr A’s MAC addr A’s IP addr B’s IP addr IP payload Datagram Frame

18 ARP: Address Resolution Protocol
Question: how to determine MAC address of B given B’s IP address? Each IP node (Host, Router) on LAN has ARP module, table ARP Table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> < ………………………….. > TTL (Time To Live): Time after which address mapping will be forgotten (typically 20 min)

19 ARP protocol A knows B's IP address, wants to learn physical address of B A broadcasts ARP query pkt, containing B's IP address All machines on LAN receive ARP query B receives ARP packet, replies to A with its (B's) physical layer address A caches (saves) IP-to-physical address pairs until information becomes old (times out) Soft state: information that times out (goes away) unless refreshed

20 Routing to another LAN A R B
Walkthrough: routing from A to B via R In routing table at source Host, find router In ARP table at source, find MAC address E6-E BB-4B, etc A R B

21 A R B A creates IP packet with source A, destination B
A uses ARP to get R’s physical layer address for A creates Ethernet frame with R's physical address as dest, Ethernet frame contains A-to-B IP datagram A’s data link layer sends Ethernet frame R’s data link layer receives Ethernet frame R removes IP datagram from Ethernet frame, sees its destined to B R uses ARP to get B’s physical layer address R creates frame containing A-to-B IP datagram sends to B A R B

22 Ethernet “Dominant” LAN technology: Cheap: $20 for 100Mbps!
First widely used LAN technology Simpler, cheaper than token LANs and ATM Kept up with speed race: 10, 100, 1000 Mbps Metcalfe’s Ethernet sketch

23 Ethernet Frame Structure
Sending adapter encapsulates IP datagram (or other network layer protocol packet) in Ethernet frame Preamble: 7 bytes with pattern followed by one byte with pattern Used to synchronize receiver, sender clock rates

24 Ethernet Frame Structure (more)
Addresses: 6 bytes, frame is received by all adapters on a LAN and dropped if address does not match Type: Indicates the higher layer protocol, mostly IP but others may be supported such as Novell IPX and AppleTalk) CRC: Checked at receiver, if error is detected, the frame is simply dropped

25 Ethernet: uses CSMA/CD
A: sense channel, if idle then { transmit and monitor the channel; If detect another transmission abort and send jam signal; update # collisions; delay as required by exponential backoff algorithm; goto A } else {done with the frame; set collisions to zero} else {wait until ongoing transmission is over and goto A}

26 Ethernet’s CSMA/CD (more)
Jam Signal: make sure all other transmitters are aware of collision; 48 bits; Exponential Backoff: Goal: adapt retransmission attempts to estimated current load heavy load: random wait will be longer First collision: choose K from {0,1}; delay is K x 512 bit transmission times After second collision: choose K from {0,1,2,3}… After ten or more collisions, choose K from {0,1,2,3,4,…,1023}

27 Outline MAC Basics MAC Layer Security in Wired Networks
MAC Layer Security in Wireless Networks

28 MAC Flooding Attack Problem: attacker can cause learning table to fill
Generate many packets to varied (perhaps nonexistent) MAC addresses This harms efficiency Effectively transforms switch into hub Wastes bandwidth, end host CPU This harms privacy Attacker can eavesdrop by preventing switch from learning destination of a flow Causes flow’s packet to be flooded throughout LAN DHCP can be flooded with bogus IP “address accepted by host” responses, deny IP connectivity to devices

29 MAC Spoofing Attack Host pretends to own the MAC address of another host Easy to do: most Ethernet adapters allow their address to be modified Powerful: can immediately cause complete DoS to spoofed host All learning table entries switch to point to the attacker All traffic redirected to attacker Can enable attacker to evade ACLs set based on MAC information

30 ARP Spoofing Attack Host B Host A MAC: MAC:
0000:ccab 0000:9f1e Gratuitious ARP: “My MAC is 0000:7ee5 and I have IP address ” IP MAC Attacker MAC: 0000:7ee5 0000:7ee5 Attacker sends fake unsolicited ARP replies Attacker can intercept forward-path traffic Can intercept reverse-path traffic by repeating attack for source Gratuitious ARPs make this easy – Only works within same subnet/VLAN Source: M. Caesar (UIUC)

31 Countermeasures to ARP Spoofing
Ignore Gratuitious ARP Problems: gratuitious ARP is useful, doesn’t completely solve the problem Dynamic ARP Inspection (DAI) Switches record <IP,MAC> mappings learned from DHCP messages, drop all mismatching ARP replies Intrusion detection systems (IDS) Monitor all <IP,MAC> mappings, signal alarms Can also partition Ethernet networks into “virtual” LANs that are disjoint from each other Source: M. Caesar (UIUC)

32 Outline MAC Basics MAC Layer Security in Wired Networks
MAC Layer Security in Wireless Networks

33 WEP Design Goals Symmetric key crypto
Confidentiality End host authorization Data integrity Self-synchronizing: each packet separately encrypted Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers) Efficient Implementable in hardware or software

34 Review: Symmetric Stream Ciphers
keystream generator key Combine each byte of keystream with byte of plaintext to get ciphertext: m(i) = i-th unit of message ks(i) = i-th unit of keystream c(i) = i-th unit of ciphertext c(i) = ks(i)  m(i) ( = exclusive or) m(i) = ks(i)  c(i) WEP uses RC4

35 Stream Cipher and Packet Independence
Recall design goal: each packet separately encrypted If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted Need to know where we left off for packet n WEP approach: initialize keystream with key + new IV for each packet: keystream generator Key+IVpacket keystreampacket

36 WEP Encryption (1) Sender calculates Integrity Check Value (ICV) over data Four-byte hash/CRC for data integrity Each side has 104-bit shared key Sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key Sender also appends keyID (in 8-bit field) 128-bit key inputted into pseudo random number generator to get keystream Data in frame + ICV is encrypted with RC4: B\bytes of keystream are XORed with bytes of data & ICV IV & keyID are appended to encrypted data to create payload Payload inserted into frame encrypted data ICV IV MAC payload Key ID

37 WEP Encryption (2) New IV for each frame

38 WEP decryption overview
encrypted data ICV IV MAC payload Key ID Receiver extracts IV Inputs IV, shared secret key into pseudo random generator, gets keystream XORs keystream with encrypted data to decrypt data + ICV Verifies integrity of data with ICV Note: Message integrity approach used here is different from MAC (message authentication code) and signatures (using PKI).

39 End-Point Authentication w/ Nonce
Nonce: Number (R) used only once –in-a-lifetime How to prove Alice “live”: Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R K (R) A-B Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!

40 WEP Authentication Notes: Not all APs do it, even if WEP is being used
authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce Notes: Not all APs do it, even if WEP is being used AP indicates if authentication is necessary in beacon frame Done before association

41 Breaking 802.11 WEP Encryption
Security hole: 24-bit IV, one IV per frame ⟹ IVs eventually reused IV transmitted in plaintext ⟹ IV reuse detected Attack: Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … Trudy sees: ci = di XOR kiIV Trudy knows ci di, so can compute kiIV Trudy knows encrypting key sequence k1IV k2IV k3IV … Next time IV is used, Trudy can decrypt!

42 802.11i: Improved Security Numerous (stronger) forms of encryption possible Provides key distribution Uses authentication server separate from access point

43 WPA: WiFi Protected Access
“Snapshot of i” developed Oct to fix WEP flaws Short-term solution: patch WEP using same hardware Temporal Key Integrity Protocol (TKIP) generates per-packet keys Keys have short lifetime; continuously “refreshed” TKIP includes Message Authentication Code for data integrity

44 WPA2: A Long-Term Solution
WPA2 provides confidentiality, data integrity, protection against replay attacks Uses AES in counter mode with cipher block chaining (CBC) and message authentication code (MAC) with a different key This is the Counter mode/CBC-MAC Protocol (CCMP) Both WPA and WPA2 use i authentication mechanisms, described next

45 802.11i: Four Phases of Operation
AP: access point STA: client station AS: Authentication server wired network 1 Discovery of security capabilities STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through” 2 3 STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

46 EAP: Extensible Authentication Protocol
EAP: end-end client (mobile) to authentication server protocol EAP sent over separate “links” Mobile-to-AP (EAP over LAN) AP to authentication server (RADIUS over UDP) wired network EAP TLS EAP EAP over LAN (EAPoL) RADIUS IEEE UDP/IP

47 Simple Messages in Networking Systems
The messages that are short, unencrypted and used for controlling Examples SYN message in TCP Keep alive message in BGP RTS/CTS/null data frames in WLANs 47

48 Null Data Frames in 802.11 WLANs
A special type of data frame that contains no data Widely used for power management, channel scanning and association keeping alive Security vulnerabilities of null data frames in WLANs Functionality based Denial-of-Service attack Implementation based fingerprinting attack 48

49 Null Data Frame Format Frame body part is empty 0: sleep/awake  awake
1: awake  sleep Indicates whether frame body is encrypted 49

50 Power Management in 802.11 WLANs
beacon interval beacon time TIM = 0 =1 =1 =0 =0 data access point awake => sleep station

51 Security Vulnerability
The attacker can spoof the identity of a sleeping station, and steal its buffered data frames Null data frame is short Allows efficient fake frame generation Null data frame is unencrypted Allows fake frame generation

52 Illustration of Functionality based Denial-of-Service Attack
beacon interval beacon time TIM = 0 =0 =0 =0 =0 data access point null data (awake) awake => sleep victim station attacker

53 Salient Features of the Attack
Easy to implement Short frame without encryption Hard to detect in real time MAC address and sequence number are changeable Little communication overhead Not require frame flooding

54 802.11 WLAN Issues (1) No protection in open-access WLANs
Consequences: Passive eavesdropping Traffic analysis Message injection Masquerading Malicious AP Session hijacking Man-in-the-middle Denial-of-service Etc.

55 802.11 WLAN Issues (2) Weak Protection of WPA-PSK Consequences
Except pairwise master key (PMK), all the information needed to generate pairwise transit key (PTK) can be obtained from the first two unprotect messages in four-way handshake Vulnerability of WPA-PSK to insider (Insider attacks) Vulnerability of WPA-PSK with a weak key (Dictionary attacks) Consequences Encryption key is disclosed After getting the key, any attacks on open systems are possible

56 Null Data Frame Authentication
Basic Idea Encryption of link layer frames needs an encryption key How to set up this key? Replace “open system authentication” (OSA ) algorithm with “dummy authentication key-establishment” algorithm to set up a session key Why is the algorithm called dummy authentication? It occupies the position of an authentication algorithm in medium access control protocols It does not perform real authentication. It only sets up a cryptographic key

57 Patch: Open System Authentication
The key-point to patch the MAC protocol is: “open system authentication” (OSA ) algorithm, since there is no real authentication in this step. It’s just a place holder

58 Dummy Authentication Key-Establishment Alg.
AP Dummy authentication request Generate a rnd and a psk verify ticket, recover psk

59 Resulting Conversations of Robust Security Network Association
Now before before

60 Derivation of a New Pairwise Master Key
Utilize the existing algorithms/protocols to protect data frames with a new PMK Where the right part is the original PMK in WPA-PSK, csk is the common session key derived from dummy authentication. If it is used in open access network, set passphrase=“open system” Provide protections (encryption) to open system Prevent insider’s eavesdropping and dictionary attacks on WPA-PSK No need to modify the existing MAC protocols for data frame protection

61 Null Data Frame Protection
Need to modify MAC protocol by changing frame format frame := (MAC Header, null, pArgs,Htk(“last timestamp”, pArgs),FCS) Compare to original frame format, a MIC code is added The timestamp in the previous beacon is treated as filed plaintext data, even though it is not in the resulting frame MIC is different for each frame because of the changing timestamp and increased sequence number TCS or PN. This makes forging and replaying the null data frames useless

62 Discussions (1) A variation of the method is to separate the key transfer procedure and the dummy authentication procedure as shown in Figure 3(a) and 3(b). In this improved method, we add two more messages—key request and key response—for the public-key transfer procedure. Dummy authentication and key transfer are separated into two procedures to reduce the frequency of sending large certificates, thus improving efficiency and alleviating possible DoS attacks. In the key-response frame, there is a timestamp that indicates when the certificate was last updated. This information and certificate signature can also be included in the beacon frames so that a station can check consistency or obtain the latest information. This variation has the advantage that a station only needs to request the AP’s certificate once and the AP can process the key request in batch mode. This is to delay the key response and broadcast it once for awhile. The disadvantage is that two more messages are needed.

63 Discussions (2) We can reduce the number of messages in dummy authentication to further improve the efficiency by transmitting some information in (re)association request/response frames as in Figure 3(c). Thus only two messages remain for the dummy authentication procedure. This improvement also has some disadvantages, such as more modification (association, re-association request and response frames) to the standard, which cannot prevent forged de-association frames during the dummy authentication process. The resulting improved method includes the public-key transfer shown in Figure 3(a) and the dummy authentication and modified association procedure shown in Figure 3(c)

64 Final Remarks MAC protocols control access to physical network resources for multiple clients (wired and wireless) Protocols not designed with security in mind Spoofing, flooding attacks possible against Ethernet, networks wireless security has improved considerably from WEP, but it is still not perfect Devices can be fingerprinted based on MAC layer characteristics

65 Thank You Questions & comments?

66 Acknowledgments This material is partially based on: Matthew Caesar’s slides on IP/Ethernet Security: Slides for J.F. Kurose and K.W. Ross textbook Georg Carle’s slides on Link-Layer Security: Zhimin Yang, Boxuan Gu, Adam Champion, Xiaole Bai and Dong Xuan, Link-Layer Protection in i WLANs with Dummy Authentication, in Proc. of ACM Conference on Wireless Network Security (WiSec), March 2009 (short paper).

Download ppt "MAC Layer Security."

Similar presentations

Ads by Google