Presentation is loading. Please wait.

Presentation is loading. Please wait.

MAC Layer Security 1. Outline 2  MAC Basics  MAC Layer Security in Wired Networks  MAC Layer Security in Wireless Networks.

Similar presentations


Presentation on theme: "MAC Layer Security 1. Outline 2  MAC Basics  MAC Layer Security in Wired Networks  MAC Layer Security in Wireless Networks."— Presentation transcript:

1 MAC Layer Security 1

2 Outline 2  MAC Basics  MAC Layer Security in Wired Networks  MAC Layer Security in Wireless Networks

3 3 Multiple Access Links and Protocols Three types of “links”: r Point-to-point (single wire, e.g. PPP, SLIP) r Broadcast (shared wire or medium; e.g, Ethernet, Wavelan, etc.) r Switched (e.g., switched Ethernet, ATM etc)

4 4 Multiple Access protocols r Single shared communication channel r Two or more simultaneous transmissions by nodes: interference m Only one node can send successfully at a time r Multiple access protocol: m Distributed algorithm that determines how stations share channel, i.e., determine when station can transmit m Communication about channel sharing must use channel itself! m What to look for in multiple access protocols: Synchronous or asynchronous Information needed about other stations Robustness (e.g., to channel errors) Performance

5 5 MAC Protocols: a taxonomy Three broad classes: r Channel Partitioning m TDMA: time division multiple access m FDMA: frequency division multiple access m CDMA (Code Division Multiple Access) Read! r Random Access m Allow collisions m “Recover” from collisions r “Taking turns” m Tightly coordinate shared access to avoid collisions Goal: efficient, fair, simple, decentralized

6 6 Random Access protocols r When node has packet to send m Transmit at full channel data rate R. m No a priori coordination among nodes r Two or more transmitting nodes -> “collision”, r Random access MAC protocol specifies: m How to detect collisions m How to recover from collisions (e.g., via delayed retransmissions) r Examples of random access MAC protocols: m Slotted ALOHA and ALOHA m CSMA and CSMA/CD

7 7 CSMA: Carrier Sense Multiple Access) CSMA: listen before transmit: r If channel sensed idle: transmit entire pkt r If channel sensed busy, defer transmission m Persistent CSMA: retry immediately with probability p when channel becomes idle (may cause instability) m Non-persistent CSMA: retry after random interval r Human analogy: don’t interrupt others!

8 8 CSMA collisions Collisions can occur: Propagation delay means two nodes may not year hear each other’s transmission Collision: Entire packet transmission time wasted Spatial layout of nodes along Ethernet Note: Role of distance and propagation delay in determining collision prob.

9 9 CSMA/CD (Collision Detection) CSMA/CD: Carrier sensing, deferral as in CSMA m Collisions detected within short time m Colliding transmissions aborted, reducing channel wastage m Persistent or non-persistent retransmission r Collision detection: m Easy in wired LANs: measure signal strengths, compare transmitted, received signals m Difficult in wireless LANs: receiver shut off while transmitting r Human analogy: Polite conversationalist

10 10 CSMA/CD collision detection

11 11 “Taking Turns” MAC protocols Channel partitioning MAC protocols: m Share channel efficiently at high load m Inefficient at low load: delay in channel access, 1/N bandwidth allocated even if only 1 active node! Random access MAC protocols m Efficient at low load: single node can fully utilize channel m High load: collision overhead “Taking turns” protocols Look for best of both worlds!

12 12 “Taking Turns” MAC protocols Polling: r Master node “invites” slave nodes to transmit in turn r Request to Send, Clear to Send msgs r Concerns: m Polling overhead m Latency m Single point of failure (master) Token passing: r Control token passed from one node to next sequentially. r Token message r Toncerns: m token overhead m latency m single point of failure (token)

13 13 Summary of MAC protocols r What do you do with a shared media? m Channel Partitioning, by time, frequency or code Time Division,Code Division, Frequency Division m Random partitioning (dynamic), ALOHA, S-ALOHA, CSMA, CSMA/CD Carrier sensing: easy in some technologies (wire), hard in others (wireless) CSMA/CD used in Ethernet m Taking Turns Polling from a central cite, token passing

14 14 LAN Addresses and ARP 32-bit IP address: r Network-layer address r Used to get datagram to destination network (recall IP network definition) LAN (or MAC or physical) address: r Used to get datagram from one interface to another physically-connected interface (same network) r 48 bit MAC address (for most LANs) burned in the adapter ROM

15 15 LAN Addresses and ARP Each adapter on LAN has unique LAN address

16 16 LAN Address (more) r MAC address allocation administered by IEEE r Manufacturer buys portion of MAC address space (to assure uniqueness) r Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address r MAC flat address portability m Can move LAN card from one LAN to another r IP hierarchical address NOT portable m Depends on network to which one attaches

17 17 Recall earlier routing discussion A B E Starting at A, given IP datagram addressed to B: r Look up net. address of B, find B on same net. as A r Link layer send datagram to B inside link-layer frame B’s MAC addr A’s MAC addr A’s IP addr B’s IP addr IP payload Datagram Frame Frame source, dest address Datagram source, dest address

18 18 ARP: Address Resolution Protocol r Each IP node (Host, Router) on LAN has ARP module, table r ARP Table: IP/MAC address mappings for some LAN nodes m TTL (Time To Live): Time after which address mapping will be forgotten (typically 20 min) Question: how to determine MAC address of B given B’s IP address?

19 19 ARP protocol r A knows B's IP address, wants to learn physical address of B r A broadcasts ARP query pkt, containing B's IP address m All machines on LAN receive ARP query r B receives ARP packet, replies to A with its (B's) physical layer address r A caches (saves) IP-to-physical address pairs until information becomes old (times out) m Soft state: information that times out (goes away) unless refreshed

20 20 Routing to another LAN Walkthrough: routing from A to B via R r In routing table at source Host, find router r In ARP table at source, find MAC address E6-E BB-4B, etc A R B

21 21 r A creates IP packet with source A, destination B r A uses ARP to get R’s physical layer address for r A creates Ethernet frame with R's physical address as dest, Ethernet frame contains A-to-B IP datagram r A’s data link layer sends Ethernet frame r R’s data link layer receives Ethernet frame r R removes IP datagram from Ethernet frame, sees its destined to B r R uses ARP to get B’s physical layer address r R creates frame containing A-to-B IP datagram sends to B A R B

22 22 Ethernet “Dominant” LAN technology: r Cheap: $20 for 100Mbps! r First widely used LAN technology r Simpler, cheaper than token LANs and ATM r Kept up with speed race: 10, 100, 1000 Mbps Metcalfe’s Ethernet sketch

23 23 Ethernet Frame Structure Sending adapter encapsulates IP datagram (or other network layer protocol packet) in Ethernet frame Preamble: r 7 bytes with pattern followed by one byte with pattern r Used to synchronize receiver, sender clock rates

24 24 Ethernet Frame Structure (more) r Addresses: 6 bytes, frame is received by all adapters on a LAN and dropped if address does not match r Type: Indicates the higher layer protocol, mostly IP but others may be supported such as Novell IPX and AppleTalk) r CRC: Checked at receiver, if error is detected, the frame is simply dropped

25 25 Ethernet: uses CSMA/CD A: sense channel, if idle then { transmit and monitor the channel; If detect another transmission then { abort and send jam signal; update # collisions; delay as required by exponential backoff algorithm; goto A } else {done with the frame; set collisions to zero} } else {wait until ongoing transmission is over and goto A}

26 26 Ethernet’s CSMA/CD (more) Jam Signal: make sure all other transmitters are aware of collision; 48 bits; Exponential Backoff: r Goal: adapt retransmission attempts to estimated current load m heavy load: random wait will be longer r First collision: choose K from {0,1}; delay is K x 512 bit transmission times r After second collision: choose K from {0,1,2,3}… r After ten or more collisions, choose K from {0,1,2,3,4,…,1023}

27 Outline 27  MAC Basics  MAC Layer Security in Wired Networks  MAC Layer Security in Wireless Networks

28 MAC Flooding Attack  Problem: attacker can cause learning table to fill o Generate many packets to varied (perhaps nonexistent) MAC addresses  This harms efficiency o Effectively transforms switch into hub o Wastes bandwidth, end host CPU  This harms privacy o Attacker can eavesdrop by preventing switch from learning destination of a flow o Causes flow’s packet to be flooded throughout LAN  DHCP can be flooded with bogus IP “address accepted by host” responses, deny IP connectivity to devices 28

29 MAC Spoofing Attack  Host pretends to own the MAC address of another host o Easy to do: most Ethernet adapters allow their address to be modified o Powerful: can immediately cause complete DoS to spoofed host – All learning table entries switch to point to the attacker – All traffic redirected to attacker – Can enable attacker to evade ACLs set based on MAC information 29

30 ARP Spoofing Attack Attacker sends fake unsolicited ARP replies – Attacker can intercept forward-path traffic – Can intercept reverse-path traffic by repeating attack for source – Gratuitious ARPs make this easy –Only works within same subnet/VLAN Host A MAC: 0000:9f1e Attacker MAC: 0000:7ee5 Host BHost B MAC: 0000:ccab Gratuitious ARP: “My MAC is 0000:7ee5 and I have IP address ” :7ee5 IPMACIPMAC Source: M. Caesar (UIUC) 30

31 Countermeasures to ARP Spoofing  Ignore Gratuitious ARP o Problems: gratuitious ARP is useful, doesn’t completely solve the problem  Dynamic ARP Inspection (DAI) o Switches record mappings learned from DHCP messages, drop all mismatching ARP replies  Intrusion detection systems (IDS) o Monitor all mappings, signal alarms  Can also partition Ethernet networks into “virtual” LANs that are disjoint from each other Source: M. Caesar (UIUC) 31

32 Outline 32  MAC Basics  MAC Layer Security in Wired Networks  MAC Layer Security in Wireless Networks

33 WEP Design Goals r Symmetric key crypto m Confidentiality m End host authorization m Data integrity r Self-synchronizing: each packet separately encrypted m Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers) r Efficient m Implementable in hardware or software 33

34 Review: Symmetric Stream Ciphers r Combine each byte of keystream with byte of plaintext to get ciphertext: m m(i) = i-th unit of message m ks(i) = i-th unit of keystream m c(i) = i-th unit of ciphertext m c(i) = ks(i)  m(i) (  = exclusive or) m m(i) = ks(i)  c(i) r WEP uses RC4 keystream generator key keystream 34

35 Stream Cipher and Packet Independence r Recall design goal: each packet separately encrypted r If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted m Need to know where we left off for packet n r WEP approach: initialize keystream with key + new IV for each packet: keystream generator Key+IV packet keystream packet 35

36 WEP Encryption (1) r Sender calculates Integrity Check Value (ICV) over data m Four-byte hash/CRC for data integrity r Each side has 104-bit shared key r Sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key r Sender also appends keyID (in 8-bit field) r 128-bit key inputted into pseudo random number generator to get keystream r Data in frame + ICV is encrypted with RC4: m B\bytes of keystream are XORed with bytes of data & ICV m IV & keyID are appended to encrypted data to create payload m Payload inserted into frame encrypted dataICVIV MAC payload Key ID 36

37 WEP Encryption (2) New IV for each frame 37

38 WEP decryption overview r Receiver extracts IV r Inputs IV, shared secret key into pseudo random generator, gets keystream r XORs keystream with encrypted data to decrypt data + ICV r Verifies integrity of data with ICV m Note: Message integrity approach used here is different from MAC (message authentication code) and signatures (using PKI). encrypted dataICVIV MAC payload Key ID 38

39 End-Point Authentication w/ Nonce Nonce: Number (R) used only once –in-a-lifetime How to prove Alice “live”: Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R K (R) A-BA-B Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! 39

40 WEP Authentication authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce Notes:  Not all APs do it, even if WEP is being used  AP indicates if authentication is necessary in beacon frame  Done before association 40

41 Breaking WEP Encryption Security hole: r 24-bit IV, one IV per frame IVs eventually reused r IV transmitted in plaintext IV reuse detected Attack: m Trudy causes Alice to encrypt known plaintext d 1 d 2 d 3 d 4 … m Trudy sees: c i = d i XOR k i IV m Trudy knows c i d i, so can compute k i IV m Trudy knows encrypting key sequence k 1 IV k 2 IV k 3 IV … m Next time IV is used, Trudy can decrypt! 41

42 802.11i: Improved Security r Numerous (stronger) forms of encryption possible r Provides key distribution r Uses authentication server separate from access point 42

43 WPA: WiFi Protected Access r “Snapshot of i” developed Oct to fix WEP flaws r Short-term solution: patch WEP using same hardware m Temporal Key Integrity Protocol (TKIP) generates per- packet keys m Keys have short lifetime; continuously “refreshed” m TKIP includes Message Authentication Code for data integrity 43

44 WPA2: A Long-Term Solution r WPA2 provides confidentiality, data integrity, protection against replay attacks m Uses AES in counter mode with cipher block chaining (CBC) and message authentication code (MAC) with a different key m This is the Counter mode/CBC-MAC Protocol (CCMP) r Both WPA and WPA2 use i authentication mechanisms, described next 44

45 802.11i: Four Phases of Operation AP: access point AS: Authentication server wired network STA: client station 1 Discovery of security capabilities STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through” STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity 45

46 EAP: Extensible Authentication Protocol r EAP: end-end client (mobile) to authentication server protocol r EAP sent over separate “links” m Mobile-to-AP (EAP over LAN) m AP to authentication server (RADIUS over UDP) EAP TLS EAP EAP over LAN (EAPoL) IEEE RADIUS UDP/IP wired network 46

47 Simple Messages in Networking Systems r The messages that are short, unencrypted and used for controlling r Examples m SYN message in TCP m Keep alive message in BGP m RTS/CTS/null data frames in WLANs 47

48 Null Data Frames in WLANs r A special type of data frame that contains no data m Widely used for power management, channel scanning and association keeping alive r Security vulnerabilities of null data frames in WLANs m Functionality based Denial-of-Service attack m Implementation based fingerprinting attack 48

49 Null Data Frame Format Frame body part is empty 0: sleep/awake  awake 1: awake  sleep Indicates whether frame body is encrypted 49

50 beacon interval time access point station =1 =0 beacon data TIM = 0 awake => sleep Power Management in WLANs 50

51 Security Vulnerability r The attacker can spoof the identity of a sleeping station, and steal its buffered data frames r Null data frame is short m Allows efficient fake frame generation r Null data frame is unencrypted m Allows fake frame generation 51

52 beacon interval time access point victim station =0 attacker beacon null data (awake) data TIM = 0 awake => sleep Illustration of Functionality based Denial- of-Service Attack 52

53 Salient Features of the Attack r Easy to implement m Short frame without encryption r Hard to detect in real time m MAC address and sequence number are changeable r Little communication overhead m Not require frame flooding 53

54 WLAN Issues (1) r No protection in open-access WLANs r Consequences: m Passive eavesdropping m Traffic analysis m Message injection m Masquerading m Malicious AP m Session hijacking m Man-in-the-middle m Denial-of-service m Etc. 54

55 WLAN Issues (2) r Weak Protection of WPA-PSK m Except pairwise master key (PMK), all the information needed to generate pairwise transit key (PTK) can be obtained from the first two unprotect messages in four-way handshake m Vulnerability of WPA-PSK to insider (Insider attacks) m Vulnerability of WPA-PSK with a weak key (Dictionary attacks) r Consequences m Encryption key is disclosed m After getting the key, any attacks on open systems are possible

56 Null Data Frame Authentication r Basic Idea m Encryption of link layer frames needs an encryption key m How to set up this key?  Replace “ open system authentication ” (OSA ) algorithm with “ dummy authentication key- establishment ” algorithm to set up a session key r Why is the algorithm called dummy authentication? m It occupies the position of an authentication algorithm in medium access control protocols m It does not perform real authentication. It only sets up a cryptographic key

57 Patch: Open System Authentication  The key-point to patch the MAC protocol is: “ open system authentication ” (OSA ) algorithm, since there is no real authentication in this step. It ’ s just a place holder

58 Dummy Authentication Key- Establishment Alg. STAAP Dummy authentication request Generate a rnd and a psk verify ticket, recover psk

59 Resulting Conversations of Robust Security Network Association Now before

60 Derivation of a New Pairwise Master Key r Utilize the existing algorithms/protocols to protect data frames with a new PMK  Where the right part is the original PMK in WPA-PSK, csk is the common session key derived from dummy authentication. If it is used in open access network, set passphrase= “ open system ” r Provide protections (encryption) to open system  Prevent insider ’ s eavesdropping and dictionary attacks on WPA-PSK r No need to modify the existing MAC protocols for data frame protection

61 Null Data Frame Protection r Need to modify MAC protocol by changing frame format frame := (MAC Header, null, pArgs,H tk ( “ last timestamp ”, pArgs),FCS) r Compare to original frame format, a MIC code is added r The timestamp in the previous beacon is treated as filed plaintext data, even though it is not in the resulting frame r MIC is different for each frame because of the changing timestamp and increased sequence number TCS or PN. This makes forging and replaying the null data frames useless

62 Discussions (1)

63 Discussions (2)

64 Final Remarks r MAC protocols control access to physical network resources for multiple clients (wired and wireless) r Protocols not designed with security in mind r Spoofing, flooding attacks possible against Ethernet, networks r wireless security has improved considerably from WEP, but it is still not perfect r Devices can be fingerprinted based on MAC layer characteristics 64

65 Thank You Questions & comments? 65

66 Acknowledgments This material is partially based on: Matthew Caesar’s slides on IP/Ethernet Security: thernet.pdf Slides for J.F. Kurose and K.W. Ross textbook Georg Carle’s slides on Link-Layer Security: 06_LinkLayerSecurity_1up.pdf Zhimin Yang, Boxuan Gu, Adam Champion, Xiaole Bai and Dong Xuan, Link-Layer Protection in i WLANs with Dummy Authentication, in Proc. of ACM Conference on Wireless Network Security (WiSec), March 2009 (short paper). 66


Download ppt "MAC Layer Security 1. Outline 2  MAC Basics  MAC Layer Security in Wired Networks  MAC Layer Security in Wireless Networks."

Similar presentations


Ads by Google