Wireless Network Security and Interworking MINHO SHIN, JUSTIN MA, ARUNESH MISHRA, AND WILLIAM A. ARBAUGH University of Maryland, College Park, University of California, San Diego, La Jolla THE IEEE, VOL. 94, NO. 2, FEBRUARY 2006 Mong Nam Han m0ng01@an.kaist.ac.kr AN Lab, CS dept. KAIST, Korea 안녕하세요, 저는 AN연구실의 석사과정 한몽남입니다.

Overview Challenge to the interworking Security in cellular system Security in 802.11 WLAN 3G / WLAN interworking Conclusion, Q & A

Challenge to the interworking Variety of wireless have Different coverage and bandwidth Vastly different security architecture Security issue Contradictory security assumption The authentication process Long authentication delay during handover

Security in cellular system: ~2G 1G (analog) Cloning Channel hijacking Eavesdropping 2G Short authentication signature: 18bit Broken encryption algorithm: CMEA in ‘97, ORYX in ’98 GSM Security through obscurity: go through or around Disclosed master key of SIM card Reverse engineered function A5

Security in 3G Security challenges New revenue-related fraud The full range of threats similar on Internet Vulnerability to malicious access

Security in 3G: UMTS Enhancements Features Mutual authentication, encryption with 128 bit key lengths Features Network access security access control of users and MS, data confidentiality/integrity, and user identity privacy Network domain security security within provider domain User domain security User-USIM-terminal Application domain security Visibility, Configurability, Temporary identity

Security in 3G: UMTS AKA (Authentication and Key Agreement) protocol Mutual authentication Three entities User (MS or USIM) Serving node (VLR/SGSN) Home environment (HLR/AuC) Three stages Initiation Transfer of credentials Challenge-response exchange

Security in 3G: UMTS AKA process

Security in 3G: CDMA 2000 AKA with an optional extension New cryptographic function f11 generate a UIM Authentication Key (UAK) UMAC message authentication function on UAK Advanced Encryption Standard (AES)

Security in 3G Security issues in AKA Trust relationship between roaming partners One-pass challenge-response mechanism not full mutual authentication User only verifies a MAC Permanent identity (IMSI) in plain text when registering at first time

Security in 802.11 WLAN Authentication Access Control Open system authentication Shared key authentication: standard challenge and response Challenge text: WEP PRNG with the shared secret and IV Response: 32bit CRC integrity check (ICV) Access Control Closed network access control: SSID Access control lists: MAC address Security problems published in countless papers

Security in 802.11 WLAN: WPA WiFi Protected Access Three entities Security framework Three entities Supplicant: user Authenticator: switch, access point Authentication server

Security in 802.11 WLAN: EAP Extensible Authentication Protocol : Authentication mechanism built around challenge-response Four types of message EAP request: a challenge to supplicant EAP response: response EAP success: outcome EAP failure : outcome Features Extensible: encapsulation within EAP Flexible: operated at the network layer Dual-port model

Security in 802.11 WLAN: Problems Denial of service attack Management frame are not protected nor authenticated Session hijacking When not encrypted Trust relationship implicit trust

3G / WLAN interworking Roaming model and three typical authentication scenarios Case1: NY-WLAN operates independently, and Bill already have an account with NY-WLAN Case 2: IL-3G, Bill’s home network, has a roaming agreement with NY-WLAN Case 3: IL-3G and NY-WLAN do not have a roaming agreement, but NY-3G and NY-WLAN do

Case 2: Centralized internetworking Authentication EAP-SIM Lack of mutual authentication Weak 64 bit cipher key EAP-AKA Require synchronized sequence number Weakness of EAP Lacks for identity protection, protected method negotiation, protected termination possible man-in-the-middle attack Authentication latency: O(N2) Interdomain proactive key distribution Fast handoff scheme: reduce authentication latency Use neighbor graph Require reasonably accurate handoff prediction system AAA-broker Reduce total number of association: O(N) Be close, trustworthy, require strong security association between broker and home network man-in-the-middle attack: 공격자 자신이 대화에 끼어들거나 대화를 도청하거나, 아니면 그 내용을 변경해 버리는 것입니다. 예를 들어 공격자는 적절한 자격을 갖춘 클라이언트와 서버 간의 SMB 세션을 도청하여 패킷을 캡처한 다음 나중에 다시 재생하여 해당 서버에 연결합니다. SMB Reflection Attack은 공격자와 서버가 동일한 컴퓨터 상에 위치한, 특이한 유형의 man-in-the-middle 공격입니다

Case 3: Context transfer Security context: current state Authentication state: identifier Authorization state: services and functions Communication security parameter: encryption algorithm, session keys Reactive context transfer: after visit Context transfer protocol (CTP): at L3 Inter access point protocol (IAPP): at L2 Inter domain key exchange (IDKE): for seamless handover Proactive context transfer: before visit Soft handoff Prediction Ticket forwarding: issue ticket (context) to the client Kerberos

Case 3: Context transfer Discussion Benefit: performance, flexible trust relationships Issue Accounting and billing Post hoc authentication Full authentication or reauthentication

Conclusion, Q & A Good security will be developed in an open environment with the collaboration

Q & A