Figure 1: HIPERLAN encryption-decryption scheme [3]
Sami Uskela
Department of Electrical and Communications Engineering
Helsinki University of Technology
stu@iki.fi
Around 1980 was the concept of the wireless LAN introduced and since 1985 have many companies tried to implement variety of wireless LAN applications using spread spectrum, infrared and traditional wide band radio [1] technologies. Now is the real breakthrough of the wideband wireless applications happening; the IEEE 802.11 standard, approved June 1997, gives a solid platform for new applications and the chips supporting IEEE 802.11 are already in the market. The wireless office market revenue was year 1996 $390 million from which $218 million belonged to wireless LANs and it is expected to break a billion dollar in early next millennium [1].
The commercial wireless LAN applications can be divided in five category [2]:
Today's existing applications aims at four category of applications [2]:
The security issues in the wireless environment are much more stressed
than in the wired networks, but there are still products without any
security functions and even the IEEE 802.11 specifies the security
functions as an optional feature. Anyhow the security in the
Internet is coming more and more vital and the IPSEC concept and IPv6 are
going to demand the ciphering and authentication as mandatory
functions in the network equipment. So there is a real need for
developing the security in the wireless networks.
2 Abbreviations and Definitions
In this document are following abbreviations (table 1) and definitions (table 2) used.
| AP | Access Point |
| ATM | Asynchronous Transfer Mode |
| BER | Bit Error Rate |
| BSS | Basic Service Set; A set of stations communication wirelessly on the same channel in the same area. (in IEEE 802.11) |
| CA | Certificate Authority |
| CAC | Channel Access Control (in HIPERLAN) |
| CAM | Channel Access Mechanism (in HIPERLAN) |
| CCITT | Comité Consultatif International Télégraphique et Téléphonique (now ITU-T) |
| ESS | Extended Service Set; A set of BSSs and wired LANs with Access Points that appear as a single logical BSS. (in IEEE 802.11) |
| ETSI | European Telecommunications Standards Institute |
| ETR | ETSI Technical Report |
| GSM | Global System for Mobile communications |
| HIPERLAN | HIgh PErformance Radio Local Area Network |
| HM-entity | HIPERLAN MAC entity |
| ICV | Integrity Check Vector |
| IEEE | Institute of Electrical and Electronics Engineers |
| ISO | International Standard Organisation |
| IV | Initialization Vector |
| LAN | Local Area Network |
| MAC | Medium Access Control |
| MPDU | MAC Protocol Data Unit |
| PEM | Privacy Enhanced Mail |
| PHY | Physical layer |
| PRNG | Pseudo Random Number Generator |
| bps | bits per second |
| SKCS | Shared Key Cryptography System |
| UMTS | Universal Mobile Telecommunications System |
| WEP | Wired Equivalent Privacy |
| ad-hoc | In ad-hoc configuration the wireless LAN has no fixed components |
| authentication | The identification of the parties |
| base | Usually fixed base station of the wireless LAN, sometimes referred as Access Point |
| cipher text | The data after ciphering |
| confidentiality | Only intended parties can access the data |
| coverage | The area where the transmission of the node can be heard |
| denial of service | An attack preventing the system from being used |
| eavesdropping | Capturing the data by an unintended party |
| end-to-end | From the sending node to the intended receiver |
| integrity | The message can not be modified or replaced by unintended parties |
| key management | The policy to distribute and save the private and public keys |
| plain text | The data to be send before ciphered |
| pre-arranged | In pre-arranged configuration the wireless LAN has some fixed components, like bases |
| private key | A sensitive key that must not be compromised |
| public key | A non-sensitive that can be published |
| shared key | A secret key common to many users or network nodes |
| station-to-station | From one node to the next one in the network |
| transitive trust | An attack exploiting the host-host or network-network trust |
This section describes two existing wireless network standards
concentrating on the security functions they provide. The proprietary
solutions (like Lucent Technologies WaveLAN), existing mobile
telephone networks (like GSM) and future technologies
(like wireless ATM or UMTS) are out of the scope of this paper.
3.1 HIPERLAN
In this paper, the term "HIPERLAN" is used to refer to HIPERLAN, Type 1 [3].
HIPERLAN is ETSI's wireless broadband access standard, which defines the MAC sublayer, the Channel Access Control (CAC) sublayer and the physical layer. The MAC accesses the physical layer through the CAC, which allows easy adaptation for different physical layers. Currently defined physical layers use 5.15 - 5.30 GHz frequency band and support 2 048 Kbps synchronous traffic and up to 25 Mbps asynchronous traffic. HIPERLAN has following properties [3]:
The HIPERLAN specification [3] defines an
encryption-decryption scheme for optional use in the HIPERLAN. In this
scheme, all HM-enties of a HIPERLAN shall use a common set of shared
keys, referred as the HIPERLAN key-set. Each of these keys has an
unique key identifier. Plain text is ciphered by XOR operation with
random sequence generated by confidential [5]
algorithm, which uses as an input the secret key and initialization
vector send in every MPDU (see figure 1). ETSI
claims that defined
scheme utilizes the level of protection of a wired LAN [3].
Figure 1: HIPERLAN encryption-decryption scheme [3]
It is impossible to say anything for sure about the protection
level that
the WEP offers, because the algorithms are not available. But the
lack of the independent and public analysis arouses some suspicions
about the strength of the algorithms. The HIPERLAN standard does not
define any kind of authentication, which sounds very strange for this
kind of system. In my humble opinion one should not trust the
security level offered by the HIPERLAN specification in any sensitive
application, but use some
additional mechanism to gain the security requirements sat to the
wireless LAN.
3.2 IEEE 802.11 [6]
The IEEE 802.11 standard defines the physical layers and the MAC sublayers for the wireless LANs. There are three different physical layers: Frequency Hopping Spread Spectrum Radio, Direct Sequence Spread Spectrum Radio and Baseband Infrared. All physical layers can offer 2 Mbps data rate, the radio PHYs uses 2 400 - 2 483.5 MHz frequency band. The MAC layer is common for all three PHY and has the following features [2]:
The IEEE 802.11 defines two authentication schemes: Open System Authentication and Shared Key Authentication. The former is actually a null authentication, all mobiles requesting the access are accepted to the network. The later one uses shared key cryptography to authenticate the mobile. When a mobile request authentication, the base sends 128 octet ( 1024 bits ) long random number to the mobile encrypted using shared key. The mobile decrypts the random number using the same shared key than the base and sends that back to the base. If the number that the base receives is correct, the mobile is accepted to the network. All mobiles allowed to connect to the network uses the same shared key, so this authentication method is only able to verify if the particular mobile belongs to the group of the mobiles allowed to connect to the network, but there is no way to distinct the mobiles from each other. There are also no means to authenticate the network by the mobile. The IEEE 802.11 does not define any key management functions.
The IEEE 802.11 defines an optional Wired Equivalent Privacy (WEP)
mechanism to implement the confidentiality and integrity of the
traffic in the
network. WEP is used at the station-to-station level and does not
offer any end-to-end security. WEP uses the RC4 PRNG [8] algorithm
based on a 40 bit secret key and a 24 bit initialization vector (IV)
send with the data. WEP includes an integrity check vector (ICV) to
allow integrity check. One MPDU frame contains the clear text IV and
ICV and the cipher text data block, so receiver is always able to
decrypt
the cipher text block and to check the integrity. The IV can
always be new or reused for a limited time. The scheme is illustrated in
figure 2.
Figure 2: WEP mechanism [7]
The PRNG algorithm used in IEEE 802.11 is RC4 [8] from RSA inc. The actual algorithm is not
public, but has been studyed in independent research laboratories
under nondisclossure agreements and no weaknesses has not yet been reported,
which does not guarantee that these does not exist. Anyway the secret
key used is only 40 bits long, which can be solved by brute-force
attack in 2 seconds with $100 000 hardware and 0.2 seconds with $1 000
000 hardware according the 1995 figures [13]; today the hardware prices are significantly
lower. And even with some additional strength gained with variable IV
the protection level of WEP may not be considered strength enough for
the most sensitive applications. The Shared Key Authentication scheme
could be easily fooled using for example the play-back attack. So
anyway an additional authentication mechanism is needed.
4 Threats and Vulnerabilities Compared to Wired LANs
In this section we will concentrate on the wireless LANs using the radio path as a transmission medium.
In the wireless LAN environment we have to deal with all the same security problems, which we have in the conventional wired LAN environment. But then we have some security issues, which are stressed when we are using the radio path. The currently know active attacks can be divided in the following categories [9]:
Eavesdropping is very easy in the radio environment, when one sends a message over the radio path, everyone equipped with a suitable transceiver in the range of the transmission can eavesdrop the message. This kind of transceiver equipment, for example standard wireless LAN mobile, maybe with special antenna, are very reasonable priced. The sender or intended receiver has no means to know if the transmission has been eavesdrop or not, so this kind of eavesdropping is absolutely undetectable.
The frequency band and transceiver power used has a great effect on the range where the transmission can be heard. When we are using 2 or 5 MHz radio band and transceiver power up to 1 W, as in the case of the current wireless LAN standards, the traffic of wireless LAN can be eavesdropped from outside the building which the network is operating if there is no special electromagnetic shielding. So we can not truly trust that our network stays inside our office building.
In the wireless LAN environment the ease of eavesdropping justifies
quite costly procedures to guarantee the confidentiality of the network
traffic. In all wireless LAN standards this is taken care by some kind
of link level ciphering done by MAC-entities, but the safety gained
with these algorithms may not be good enough for the most demanding
applications.
4.2 Transitive Trust
When we have a wireless LAN as a part of our enterprise network, it offers one interface to the attacker, requiring no physical arrangements, to intrude on our network. In wired networks we can always track the wire from our computer to the next network node, but when we are working in the wireless environment there is no such way to find out with whom we are talking to. That makes the efficient authentication mechanisms crucial for the security of the wireless LANs. In all cases the both parties of the transmission should be able to authenticate each others.
The wireless LAN could be used as a launch pad to the transitive trust attack. If the attacker can fool our wireless LAN to trust the mobile he controls, then there is one hostile network node inside all firewalls of our enterprise network and it is very difficult to prevent any hostile actions after that. This kind of attack can be done from outside of our site with standard wireless LAN hardware compatible with our equipment. The only real protection against this kind of attacks is the strong authentication mechanism of the mobiles accessing the wireless LAN. The discovery of the unsuccessful attacks must rely on the logging of unsuccessful logging attempts, but it might be very hard to find out if there has been a real attack attempt, because in the normal operation there comes unsuccessful logon attempts due the high BER in radio path and from mobiles that belongs to some other wireless LAN.
The other kind of transitive trust attack, special for wireless
networks, is fooling the mobile to trust the base controlled by
attacker as our base. When mobile is switched on it usually tries first
to logon the network with strongest signal and if that fails
then the rest ones in the order of the signal power. Now, if attacker
has a base with high transmission power, he may be able to fool our
mobiles to try first to logon the attackers network. Now there is
basically two possibilities: the attacker may let as to logon his
network and make it pretend our network and find out the passwords
secret keys, etc. or the attacker may just
reject our logon attempts but record all the messages during the
logon process and find out the secret keys or passwords used in
authentication in our network by analyzing these messages. The former
case is very difficult to implement without very detailed information
about our network services and is probably detected very soon, but the
later one requires just standard base hardware, maybe with a special
antenna, compatible with our equipment, and is very difficult to
detect, because the mobiles do not usually report unsuccessful logon
tries to the upper layers and the are a lot of unsuccessful logon
attempts even in the normal circumstances. The only protection against
these attacks is an efficient authentication mechanism which allows the
mobile authenticate the base without any disclosure of the secret
keys or passwords it uses to logon our network.
4.3 Infrastructure
The Infrastructure attacks are based on some weakness in the system: the
software bug, configuration mistake, hardware failure, etc. This kind
of situations will certainly occur in wireless LANs, too. But
protection against this kind of attacks are almost impossible - You do
not know about the bug until something happens. So the only thing to
do is to keep the possible damages as small as possible.
4.4 Denial of Service
Due the nature of the radio transmission the wireless LANs are very vulnerable against denial of service attacks. If attacker has powerful enough transceiver, he can easily generate such a radio interference that our wireless LAN is unable to communicate using radio path. This kind of attack can be done from outside of our site, for example from a van parked on the street or from an apartment in the next block. Equipment needed to commit this kind of attack can be bought from any electronic store with reasonable price and any short-wave radio enthusiast has the knowledge needed to construct the equipment.
The protection against this kind of attacks is very difficult and expensive. The only total solution is to have our wireless network inside of the faraday cage, but this is applicable only in the very rare cases. But it is easy for authorities to locate the transceiver used to generate interference, so the attacker has limited time before the transceiver is found.
In the other hand the wireless LANs are not so vulnerable than the wired
LANs to the other kind of denial of service attacks. For example the fixed
LAN node can be isolated from the network by simple cutting the wire,
which is not possible in wireless environment. If attacker cuts down
the power of the whole site, then all wired networks are usually useless,
but the wireless LANs can be used in the ad-hoc configuration with laptops or
other battery powered computers.
5 Secure Solution
One can easily see that the standards described in chapter 3 does
not fulfill
the security requirements against the attacks described in chapter
4. This
section will present some mechanisms and protocols that makes the
wireless LANs safer.
5.1 Design Goals
The major requirement for this kind of solution is the seamless integration into existing wired networks. It is very probable that we have plenty of fixed network nodes already installed in our enterprise network, so we should avoid any modifications needs to the existing nodes.
There are different alternatives for securing a connection: end-to-end security at the application level, end-to-end security at the transport layer and link security at the link layer. In current data networks are only few commonly used end-to-end security schemes (like SSL and SSH), so the link security is the only applicable approach, if we want to leave our existing network alone.
Dropping end-to-end mechanisms out rules the user authentication out. We have only station-to-station (or machine-to-machine) authentication left, since those are the entities primry communicating over the wireless link. Machine-to-machine authentication is in fact conceptually correct for a security protocol at the link layer [10].
Another design goal is the two-way authentication, for the reasons discussed in 4.2 it is vital that both the base and the mobile are able to authenticate each others. Authentication mechanism should enable the identification of the mobiles and allow distinct keys used in different bases and mobiles.
The final goal is to have some flexibility to utilize the future
advances in the cryptography. The should also be some
interoperability between all versions of the wireless products, even
if there exist different regulatory limitations for the use of the
cryptography.
5.2 Design Overview
The solution discussed here needs several modifications for current wireless LAN products and standards, so the implementation of this solution is not currently feasible. But the aim is more to show the direction to which the evolution should go.
This is a hybrid solution: the authentication is done using public
key cryptography and the ciphering of the transmission uses shared
key cryptography. Shared keys are created during the authentication
and may be changed during the transmission. The actual cryptography
algorithms are not defined, because of the rapid development in this
area.
5.3 Authorization [10]
Table 3 defines nomenlactures used in this chapter.
| E(X,Y) | encryption of Y under key X |
| MD(X) | Message Digest of X |
| Pub_CA | Public Key of Certification Authority |
| Priv_CA | Private Key of Certification Authority |
| Pub_Mobile | Public key of Mobile Host |
| Priv_Mobile | Private Key of Mobile Host |
| Pub_Base | Public key of Base Station |
| Priv_Base | Private Key of Base Station |
| Cert_Mobile | Certificate of Mobile Host |
| Cert_Base | Certificate of Base Station |
| Sig(X,Y) | signature of Y with key X where Sig(X,Y) = E(X, MD(Y)) |
| Signed(X,Y) | resulting signed message {Y, Sig(X,Y)} |
The authorization mechanism uses certificates formatted according to CCITT X.509 [11] used in X.500 and PEM. A certificate contains the following information: {Serial Number, Validity Period, Machine Name, Machine Public Key, CA name}. Each certificate is signed by CA which might in our case be the enterprise's own CA.
The first message send from the mobile to the base contains following information: {Cert_Mobile, CH1, List of SKCSs}. CH1 is randomly generated number. The List of SKCSs is transmitted to allow negotiation of the used algorithm, the algorithm identifier and the key size are sent in the list.
When the base has received the first message, it will attempt to verify the signature on Cert_Mobile. A valid signature proofs the public key in the certificate belongs to a certified mobile host but it is not sure if the certificate actually belongs to the mobile that submitted it. If the certificate is invalid, the base rejects the connection attempt.
Now the base will reply to the mobile by sending the message containing {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, CH1, List of SKCSs}}}. Random Number RN1 is saved internally for later use. Chosen SKCS is one from the list sent by mobile and includes the algorithm identifier and the key size, the Chosen SKCS is the most secure from those supported by both the base and the mobile.
The mobile validates Cert_Base, if certificate is valid, the Mobile will verify using the public key of the Base the signature off the message. The signature is valid and the base authenticated if the CH1 and the List of SKCSs matches with those sent by mobile to the base. Since the list of SKCSs is included in the signature, the attacker can not send the weakened list of SKCSs by jamming original message and sending his own, and we need not to sign the first message.
Now the mobile sends to the base message containing: {E(Pub_Base, RN2), Sig{Priv_Mobile, {E(Pub_Base, RN2), E(Pub_Mobile, RN1)}}}. The RN2 is a random number generated by the mobile. The mobile will use the RN1 XOR RN2 as a session key for now on.
The Base verifies the signature of the message using Pub_Mobile obtained from Cert_Mobile in the first message. If the signature is valid, the mobile is authenticated. Next the base will decrypt E(Pub_Base, RN2) with it's own private key. Now the base can form the session key RN1 XOR RN2.
The session key is formed from two parts sent in different messages to gain better protection. Now the compromising of the mobile's private key does not compromise the whole traffic between the base and the mobile. Since the both halves of the session key are random and equal length, knowing either RN1 or RN2 tells nothing about the session key.
If all these steps has succeeded the mutual authentication has been done and the session is established. Figure 3 summarizes the authentication protocol. The correctness of this protocol is proofed in [10].
This authentication should be done in the MAC layer, before any
network access is granted to the mobile. If we give to the mobile IP
address before the authentication, it may be used as a launch pad even
if it's authentication request is rejected.
Figure 3: Authentication Protocol [10]
5.4 Integrity and Confidentiality
The confidentiality can be archived by using some existing symmetric cryptography algorithm, like IDEA or DES. Once the session key is agreed, using mechanism described in 5.3, available algorithms are strong enough for our purposes. Anyhow the high BER on the radio link may set some limitations for the selected algorithm.
The integrity is archieved by a fingerprint generated by some one-way hash function, like MD5 or SHA. There should be a fingerprint in each MPDU message, because of the high pakect loss rate in the wireless environment.
There should be some link level ciphering in any case. If we are
using some ciphering in our fixed network (e.g. IPSEC), then we can
select weaker ciphering for the wireless LANs in the link level. But there
should in anyway be some ciphering: To defend against traffic analysis
we have to cipher also the network layer headers.
5.5 Key Change Protocol [10]
The nomelactures defined in the table 3 are used here. The key exchange may be initialized from both ends of the communication, the base initialized case is handled first.
First the base sends to the mobile a message: Signed(Priv_Base, { E(Pub_Mobile, New_RN1), E(Pub_Mobile, RN1) }) and the mobile responses with message: Signed(Priv_Mobile, { E(Pub_Base, New_RN2), E(Pub_Base, RN2) }).
If the mobile initializes the key exchange procedure, then it send to the base message: Signed(Priv_Mobile, { E(Pub_Base, New_RN2), E(Pub_Base, RN2) }) and the base responses with: Signed(Priv_Base, { E(Pub_Mobile, New_RN1), E(Pub_Mobile, RN1) }).
Again the value new_RN1 XOR new_RN2 is used as the new session key. The
values RN1 and RN2 are always the last ones used. In both cases the
RN1 always refers to the random number generated by the base and RN2 the
random number generated by the mobile. The values of RN1 and RN2 are
verified against the internally saved values and if those does not
match, the key exchange is ignored. Now the key exchanges can not be
played back and we do not need to save any sequence numbers.
5.6 Key Management
The key management is one of the stuffest part implement convenient way. One possible procedure using the smart card technology is described below:
In order to avoid reading the private key from the smart card the public key cryptography system must be run inside the smart card and the calculation power of the smart cards sets some limitations for the efficiency of this approach. Of course the smart card reader is needed for each mobile used in the wireless LAN. But it is not very wild guess that the smart card technology will become more efficient and cheaper in the near future.
The concept described here is not the only one: it is also
possible to use the Wep of Trust scheme for the key management (like
in PGP) or the
user may generate the key par by himself and then give the public key
to the CA for the certificate signing, but the user identification must be
somehow done also in this case.
5.7 Solution Analysis
The solution described above fulfills are goals stated in 5.1: The authentication mechanism implements the mutual authentication. The negotiation of the symmetric cryptography algorithm gives some flexibility between different versions and allows future enhancements. The concept does not need any modifications to the existing networks.
This solution is designed for maximum security, which may limit the performance of the network. One may consider using faster ciphering for example the insensitive video clips, but a much better (and therefore slower) ciphering for sensitive traffic. There is no end-to-end security offered, that must be taken care in upper layers.
Key management using the smart cards has been found quite functional even in mass products, like GSM. The major challenge is the limited computing power in the smart card, which leads to the longer authentication time. The time used for authentication may become critical if mobile moves from one base station to another and the hand over procedure must be performed. The authentication procedure during hand over could be speed up by using different authentication scheme described in [12], but this kind of optimization is out of the scope of this paper. The longer computing time leads also to the greater power consuption, which is always one critical aspect in the mobile environment.
This concept does not support multiple CAs and in large networks
that may become a problem, anyhow the multiple CA support could be
archived with just minor modifications described in [10]. Another problem for this kind of concept is
multicast support, this solution has no support for ciphered multicast.
6 Conclusions
The current wireless LAN standards offer very unsatisfactory level of security and one could not truly trust them. When using products based on these standards must the security issues been taken care in the upper layers. The authentication mechanism described in 5.3 may be used over IP to perform end-to-end authentication, as described in [12], but this approach gives a potential launch pad for the attacker.
Some commonly used attacks are more stressed in wireless environment and some additional effort should be used to prevent those. The nature of the radio communication makes it practically impossible to prevent some attacks, like denial of service using radio interference. When the wireless networks are used in strategic applications, like manufacturing or hospitals, the possibility of this kind of attack should be taken into account with a great care.
As showed in chapter 5 the quite secure wireless LAN is possible to
implement with current technology. The current hardware could be used
with only some modifications in the MAC layer protocols and over that
new MAC the current IP may be used without any problems. Anyway it is
not probable that products supporting this level of security comes to
the markets soon, mostly due the USA regulations; almost all manufactures
are American.
7 References