26/11/2017



1



Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 Wireless security

 Mobile

device security
 IEEE 802.11i Wireless LAN Security
 Wireless Application Protocol Overview
 Wireless Transport Layer Security
 WAP End-to-End Security
 Attacks Types

2

1


26/11/2017



security risk of wireless networks is the higher than wired

networks:
o Channel: Wireless uses broadcast communications
• more susceptible to eavesdropping and jamming.
• more vulnerable to active attacks that exploit vulnerabilities in
communications protocols.
o Mobility:
• far more portable and mobile => larger number of risks
o Resources: some devices have sophisticated Oss but limited

memory and processing resources with which to counter threats
• More denial of service and malw are.
o Accessibility: Some wireless devices, such as sensors and robots,

may be left unattended in remote and/or hostile locations.
• This greatly increases their vulnerability to physical attacks.

The transmission medium, which carries the radio waves for data
transfer, is also a source of vulnerability
3

 Accidental
o



association

create overlapping transmission ranges => exposes resources of one LAN to the
accidental user.


Malicious association:
o

steal passwords from legitimate users and then penetrate a w ired network through a
legitimate w ireless access point.



Ad hoc networks:



Nontraditional networks:



Identity theft (MAC spoofing):

o
o
o

pose a security threat due to a lack of a central point of control.
pose a seecurity risk both in terms of eavesdropping and spoofing.
eavesdrop on netw ork traffic and identify the MAC address of a computer w ith netw ork
privileges.



Man-in-the middle attacks:




Denial of service (DoS):



Network injection:

o
o
o

persuading a user and an access point to believe that attackers are talking to each other
attacker continually bombards a w ireless access with various protocol.
nonfiltered netw ork traffic, such as routing protocol messages or network management
messages.
4

2


26/11/2017



Securing Wireless Transmissions (eavesdropping,
altering or inserting messages, and disruption).
o Signal-hiding technique (against eavesdropping)


• turning off service set identifier (SSID)
• assigning cryptic names to SSIDs;
• reducing signal strength to the lowest level that still provides
requisite coverage;
• locating wireless access points in the interior of the building, away
from windows and exterior walls .
• use of directional antennas and of signal-shielding techniques.
o Encryption: Encryption of all wireless transmission, the

encryption keys are secured.

5



Securing Wireless access Points (unauthorized access)
o the IEEE 802.1X standard for port-based network access control.

• an authentication mechanism for devices
• prevent rogue access points and other unauthorized devices from
becoming insecure backdoors.


Securing Wireless networks:
o Use encryption. Wireless routers are typically equipped with

built-in encryption mechanisms for router-to-router traffic.
o Use anti-virus and anti-spyware software, and a firewall.

o Turn off identifier broadcasting. to prevent attackers.

o Change the identifier on your router from the default. Prevent

attacker attempt to gain access.
o Change your router’s pre-set password for administration.

o Allow only specific computers to access your wireless network.

with approved MAC addresses.
6

3


26/11/2017



Mobile computers:
– Mainly smartphones, tablets
o Sensors: GPS, camera,

accelerometer, etc.
o Computation: powerful CPUs

(≥ 1 GHz, multi-core)

o Communication: cellular/4G,

Wi-Fi, near field
communication (NFC), etc.


Many connect to cellular
networks: billing system
 Cisco: 7 billion mobile
devices will have been
sold by 2012 [1]


Organization

 Mobile devices make attractive targets:
o People store much personal info on them: email,

calendars, contacts, pictures, etc.
o Sensitive organizational info too…
o Can fit in pockets, easily lost/stolen
o Built-in billing system: SMS/MMS (mobile
operator), in-app purchases (credit card), etc.
• Many new devices have near field communications
(NFC), used for contactless payments, etc.
• Your device becomes your credit card

– Location privacy issues
 NFC-based

billing system vulnerabilities

4



26/11/2017





Device security
Client/server traffic security
Barrier security

9

 The

Wi-Fi Alliance
 IEEE 802 Protocol Architecture
 IEEE 802.11 Network Components and
Architectural Model
 IEEE 802.11 Services

10

5


26/11/2017






The Wi-Fi Alliance has developed certification
procedures for IEEE 802.11 security standards,
Wired Equivalent Privacy (WEP) algorithm
o 802.11 privacy



Wi-Fi Protected Access (WPA)
o set of security mechanisms that reduces most 802.11 security

issues
o based on the current state of the 802.11i standard



Robust Security Network (RSN)
o final form of the 802.11i standard
o Wi-Fi Alliance certifies vendors in compliance with the full

802.11i specification under WPA2

11

Specific IEEE 802.11
functions

General IEEE 802
functions


Flow control
Error control

Reliable data delivery
Wireless access
control protocols

Assemble data into frame
Addressing
Error detection
Medium access

Frequency band
definition
Wireless signal
encoding

En/decoding of signals
Bit transmission/reception
Transmission medium
12

6


26/11/2017





MPDU - MAC protocol data unit
MSDU - MAC service data unit

The data from the next higher layer

13



IEEE 802.11 Extended Service Set

14

7


26/11/2017

15



IEEE 802.11i Services
IEEE 802.11i Phases of Operation
Discovery Phase
Authentication Phase
Key Management Phase
Protected Data Transfer Phase
The IEEE 802.11i Pseudorandom Function


16

8


26/11/2017

17

18

9


26/11/2017

An AP uses messages called Beacons
and Probe Responses to advertise

the STA and AS prove their identities to
each other

The AP and the STA perform several
operations that cause cryptographic keys
Frames are exchanged between the STA
and the end station through the AP
The AP and STA exchange frames

10



26/11/2017



authentication phase consists of three phases:
o connect to AS

• the STA sends a request to its AP that it has an association with for
connection to the AS;
• the AP acknowledges this request and sends an access request to
the AS
o EAP exchange

• authenticates the STA and AS to each other
o secure key delivery

• once authentication is established, the AS generates a master
session key and sends it to the STA


two types of keys:
o pairwise keys used for communication between an STA and an

AP
o group keys used for multicast communication

11



26/11/2017

used for communication
between a pair of devices
(STA and AP)

23



Group keys: in multicast
communication
o 1 STA sends MPDUs to n STAs.

o Group master key (GMK): At the top
o Group temporal key (GTK):

• is generated using material from both
AP and STA.
• is distributed securely using the
pairwise keys that are already
established.
• is changed every time a device leaves
the network.

24

12



26/11/2017







Data integrity: Uses message authentication to ensure
that data sent between the client and the gateway are
not modified.
Privacy: Uses encryption to ensure that the data cannot
be read by a third party.
Authentication: Uses digital certificates to authenticate
the two parties.
Denial-of-service protection: Detects and rejects
messages that are replayed or not successfully verified.

28

13


26/11/2017

- specifies the encryption algorithm, the hash
algorithm used as part of HMAC, and
cryptographic attributes

- convey WTLS-related alerts to the peer entity.

- are compressed and encrypted, as specified
by the current state

- authenticate: server & client
- negotiate an encryption and MAC
algorithms and cryptographic keys
- takes user data from the next higher layer
- encapsulates these data in a PDU:
User Data -> Compress -> Add MAC ->
Encrypt -> Append WTLS Record Header

29

30

14


26/11/2017




Mobile device: establishes a secure WTLS session with the WAP gateway.
WAP gateway: establishes a secure SSL or TLS session with the Web server.
o

o




Within the gateway, data are not encry pted during the translation process.
The gateway is thus a point at which the data may be compromised.

approaches to providing end-to-end security
o

TLS-based security

o

IPSec-based security

31

32

15


26/11/2017

33



Access control attacks: attempt to penetrate a netw ork by using w ireless or evading
WLAN access control measures
o


o
o



o

Ad Hoc Associations
MAC Spoof ing

o

802.1X RADIUS Cracking

Confidentiality attacks: attempt to intercept private information sent over w ireless
associations, whether sent in the clear or encrypted by 802.11 or higher layer protocols .
o

Eav esdropping

o

WEP Key Cracking
Ev il Twin AP

o

o
o



War Driv ing
Rogue Access Points

AP Phishing
Man in the Middle

Integrity attacks: send forged control, management or data frames over w ireless to
mislead the recipient or facilitate another type of attack (e.g., DoS).
o

o

802.11 Frame Injection, 802.11 Data Replay
802.1X EAP Replay, 802.1X RADIUS Replay, 802.1X EAP Length Attacks

/>
34

16


26/11/2017



Authentication attacks: use these attacks to steal legitimate user
identities and credentials to access otherwise private networks and
services.
o


Shared Key Guessing

o

PSK Cracking
Application Login Thef t

o
o
o
o



Domain Login Cracking
VPN Login Cracking
802.1X Identity Thef t, Password Guessing, LEAP Cracking, EAP Downgrade

Availability attacks: impede delivery of wireless services to legitimate
users, either by denying them access to WLAN resources or by crippling
those resources
o

AP Thef t

o

Queensland DoS
802.11 Beacon Flood, Associate / Authenticate Flood, TKIP MIC Exploit, Deauthenticate Flood

802.1X: EAP-Start Flood, EAP-Failure, EAP-of -Death, EAP Length Attacks

o
o

/>


35

Practice wireless network attacks:
o Use tools to excute at least 2 attacks



Ref:
o />
network-attacks

36

17


26/11/2017



wireless security
overview

o wireless network threats
o wireless security measure
o IEEE 802.11 wireless LAN

overview
o Wi-Fi alliance
o IEEE 802 protocol

architecture
o IEEE 802.11 network

components and
architectural model
o IEEE 802.11 services



IEEE 802.11i
o IEEE 802.11i Services
o IEEE 802.11i Phases of

Operation
Discovery Phase
Authentication Phase
Key Management Phase
Protected Data Transfer
Phase
o Attack types
o
o

o
o

18