s

DI Christian PloningerInstitut für KommunikationsnetzeTechnische Universität Wien

IPSec & i-Sharesecure WLAN solutions

s

&

Page 2 DI Christian Ploninger

Security Threats

Counter Measurements

i-Share: secure WLAN

Vortragsübersicht

s

&

Page 3 DI Christian Ploninger

Interception: An unauthorized party (a person, a program, or a computer) gains access to the communication. This is an attack on confidentiality.

Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on availability.

Modification: An unauthorized party not only gains access to but tampers with an asset. This is an attack on integrity.

Fabrication: An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity.

Interruption

Interception

Modification

Fabrication

Angriffskonzepte

[Stallings, 1995]: Network and Internetwork Security: Principals and Practice. Prentice Hall International, ISBN 0-13-180050-7.

s

&

Page 4 DI Christian Ploninger

Angriffe und Bedrohungen

Generally attacks may be categorized in passive and active attacks. While passive attacks can be defined as read-only attacks, active attacks include data generation, modification, or destruction.

s

&

Page 5 DI Christian Ploninger

Passive Angriffe

Passive attacks are based on interception. This attack type aims at message confidentiality.

Release of Message Contents (Eavesdropping): An attacker may read messages while they are in transfer. Eavesdropping on data transmission could result in the disclosure of sensitive information such as passwords, data, and procedures for performing functions, etc.

Traffic analysis: Traffic analysis is a form of passive attack in which an intruder observes data being transmitted. An attacker may make inferences of information from observation and analysis of the presence, absence, amount, direction, and frequency of the traffic flow.

Passive attacks are difficult to detect since they do not involve any alteration of data.The emphasis is on prevention rather than detection.

[2382-pt.8] ISO/IEC 2382-8, Information Technology - Vocabulary: Control, integrity, and security, 1998

s

&

Page 6 DI Christian Ploninger

Aktive Angriffe

Masquerading (Spoofing): In such attacks, a person (or machine) impersonates someone else to gain access to a resource.

Replay Attack: Often attacks are based on re-sending packets, or streams of packets, that have already been accepted by a recipient. The fact that it is not necessary to understood the received packets makes this attack quite dangerous.

Tampering (Packet Alteration): Instead of spoofing an identity, an attacker may choose to use a valid connection for his or her needs by altering the message content.

Denial of Service (DoS): DoS attacks aim to prevent access to network resources. Typical attacks involve flooding the network with traffic.

s

&

Page 7 DI Christian Ploninger

Aut

hent

icat

ion

Dat

a Tr

ansf

er

Esta

blis

h C

onne

ctio

n

Clo

se C

onne

ctio

n

Communication Process

Message TamperingMasquerade, ReplayDenial of Service

Eavesdropping

Active Attacks

Passive Attacks

States of Attack

s

&

Page 8 DI Christian Ploninger

Gegenmaßnahmen

Passive Angriffe GegenmaßnahmenRelease of Message Contents (Eavesdropping)

Message Encryption

Traffic Analysis Traffic PaddingAktive Angriffe GegenmaßnahmenDenial of ServiceMessage Tampering (Packet Alteration)

Key Derivation (Cryptographic Binding)

Replay Attacks Key FreshnessChallenge-Response (Challenge Entropy)

Masquerading (Spoofing) Pre-Shared SecretChallenge-Response

(Zero-Knowledge-Proof)

s

&

Page 9 DI Christian Ploninger

Countering Passive Attacks

Release of Message Contents (Eavesdropping): Using encryption cannot prevent from interception, but it protects the transmitted content and guarantees data confidentiality.

Traffic analysis: An appropriate counter measurement against this kind of attack is traffic padding. Traffic padding describes the generation of fake communications or data units to disguise the amount of real data units being sent.

s

&

Page 10 DI Christian Ploninger

Denial of Service (DoS): Especially in wireless communication it seems that there is no counter measurement against DoS attacks. Attackers easily can send noise traffic on the used radio frequencies making communication impossible.

Tampering (Packet Alteration): After the successful authentication of a valid user, an attacker may modify the transmitted data. This can be countered by the cryptographically binding of authentication and data transmission phase. Ordinary this is achieved by deriving session keys for the data transfer phase.

Countering Active Attacks

s

&

Page 11 DI Christian Ploninger

Replay Attacks: Cryptographic keys have to change frequently to protect against unauthorized key reuse (key freshness). Additionally challenge-response-protocols can be used to prevent from packet reuse.

Masquerading (Spoofing): Appropriate counter measurements against spoofing are: pre-shared secrets, challenge-response protocols.

Pre-shared secrets: The identity of a communication party can only be verified, if the party is known a-priori.

Challenge-Response-Protocols: The party’s identity has to be proofed without the transmission of the party‘s secret.

Countering Active Attacks (Cont.)

s

&

Page 12 DI Christian Ploninger

i-Sharei-Securityi-Motion

Wireless LANConnectivity

SecurityUsability

Application

Projekt i-Share

i-Share: Intelligente, von der Verfügbarkeit der Mitglieder abhängige Freigabe von dezentralen Daten über ein virtuelles Share.

i-Security: Schutz der über die Luftschnittstelle übertragenen Daten in Bezug auf Vertraulichkeit, Authentizität und Integrität.

i-Motion: Automatisiertes Handover zwischen verfügbaren Accesspoints ohne Datenverlust während Übertragungen.

Ziele der Unterprojekte:

Gesamtprojekti-Share

s

&

Page 13 DI Christian Ploninger

Design Goals

Schutz der über die Luftschnittstelle übertragenen Daten in Bezug auf Vertraulichkeit, Authentizität und Integrität.

• WLAN als ist ein unsicheres Extranet End-to-End Security zwischen Host und Security-

GW• Einbindung in das Firmennetz

Tunnelling Protocol zwischen Host und Security-GW• Schutz der Vertraulichkeit von firmeninternen Daten

Einsatz von Verschlüsselung• Schutz vor unbefugten Benutzern

Einsatz von User Authentication• Schutz vor Passwort Attacken

Einsatz von Device Authentication

s

&

Page 14 DI Christian Ploninger

Internet Protocol Security (IPSec)

s

&

Page 15 DI Christian Ploninger

IPSec AH/ESP

[RFC 2402]: IP Authentication Header (AH) [RFC 2406]: IP Encapsulating Security Payload (ESP)

s

&

Page 16 DI Christian Ploninger

• Standard auf vielen Plattformen• kein festgelegter Algorithmus (NEW: AES, Rijndeal)• unterstützt als sicher geltende Algorithmen (Twofish, AES, 3DES, IDEA, MD5, SHA,....)• keinerlei bekannte Design-Schwächen• NT: Client muss korrekt konfiguriert sein• IPSec gilt als zukunftssicher• fixer Bestandteil von IPv6

Vorteile von IPSEC

s

&

Page 17 DI Christian Ploninger

IP TrafficPPP Connection

Layer 2 Tunneling Protocol

Encrypted Data Transfer

Intranet

WirelessAccesspoint

+ FirewallVPN ServerWirless User

IPSEC Transport

IEEE 802.11gIEEE 802.11aIEEE 802.11b

IEEE 802.3

IP Traffic

• Sicher gegen Rouge APs• Sicher gegen Man-in-the-Middle Attacken (pre-shared secret)• Sicher gegen Eavesdropping (IPSEC-ESP)• State-of-the-art Algorithmen (3DES, AES) (kein WEP!)

[RFC 1171]: The Point-to-Point Protocol [RFC 2661]: Layer Two Tunneling Protocol "L2TP"

s

&

Page 18 DI Christian Ploninger

Packet Encapsulation

s

&

Page 19 DI Christian Ploninger

Authentication Process

VPN Server

Wirless User

Internet Key Exchange (Phase 1)Generation of Master Key

Mutual Device Authentication

PPP Authentication MS-CHAPv2Mutual User Authentication

PW-FilePassword

Generation of IPSec Session KeyInternet Key Exchange (Phase 2) ISAKMP SA

Master KeyMaster Key

IPSEC-ESP IPSEC SA

IPSec KeyIPSec Key

• Kombinierte Device/User Authentication • Beidseitige Authentifizierung (Mutual Authentication)

[RFC 2406]: IP Encapsulating Security Payload (ESP) [RFC 2409]: The Internet Key Exchange (IKE) [RFC 2759]: Microsoft PPP CHAP Extensions Version 2

s

&

Page 20 DI Christian Ploninger

Evaluation Chart

IKE MS-CHAPv2

Eavesdropping ProtectionEncryption (Auth.) 3-DESEncryption (Trans.) 3-DES 3-DES

Spoofing ProtectionPre-Shared Secret Passphra

sePassword

Device Authentication XUser Authentication XZero-Knowledge-Proof X XMutual Authentication X X

Tampering Protection Key Derivation X

Replay ProtectionKey Freshness X X

s

&

Page 21 DI Christian Ploninger

Schutz des firmeninternen Daten Sicherheit gegen Man-in-the-Middle

(pre-shared secrets) Sicherheit gegen Rouge APs

(End-to-End Security zwischen Host und Security-Gateway) Sicherheit gegen Tampering

(IKE Key Derivation) Sicherheit gegen Eavesdropping

(IPSEC-3DES) Sicherheit gegen Spoofing

(IKE Device Authentication, MS-CHAPv2 User Authentication, Mutual Authentiction, Zero-Knowledge-Proofs)

Sicherheit gegen Replay (IKE Key Lifetimes, MS-CHAPv2 Challenges)

Summary

s

&

Page 22 DI Christian Ploninger

IEEE 802.11bVPN / IPSec

Intranet

VPN Server+ Firewall

172.28.147.254

158.226.15.88

WWW Server158.226.15.100

172.28.147.4

WLAN Host172.28.147.x

Secured WLAN

Demonstrations Szenario

s

&

Page 23 DI Christian Ploninger

Vielen Dank für Ihre Aufmerksamkeit

s

DI Christian Ploninger+43 51707 42361

+43 (1) 58801 38829