The document provides an overview of wireless network and mobile device security. It discusses some key factors that contribute to higher security risks for wireless networks compared to wired networks, including the wireless channel, mobility, limited device resources, and accessibility. It also describes common wireless network threats like accidental association, man-in-the-middle attacks, denial of service attacks, and network injection. The document then discusses measures to secure wireless transmissions and access points. It outlines security threats specific to mobile devices like lack of physical security controls and use of untrusted networks and applications. Finally, it provides an overview of IEEE 802.11 wireless LAN security standards including WEP, WPA, RSN, and the phases of 802.
2. Table of Contents
18.1 Wireless Security
18.2 Mobile Device Security
18.3 IEEE 802.11 Wireless LAN Overview
18.4 IEEE 802.11i Wireless LAN Security
18.5 Recommended Reading
18.6 Key Terms, Review Questions, and Problems
2
3. 1. Wireless Security
Some of the key factors contributing to the higher security risk
of wireless networks compared to wired networks include the
following
• Channel: Eavesdropping and jamming than wired networks. Wireless
networks are also more vulnerable to active attacks that exploit
• Mobility: Mobility results in a number of risks.
• Resources: Limited memory and processing resources with which to
counter threats, including denial of service and malware.
• Accessibility: Greatly increases their vulnerability to physical attacks.
3
4. Wireless Network Threats (1/2)
• Accidental association : A user intending to connect to one LAN may
unintentionally lock on to a wireless access point from a neighboring
network.
• Malicious association : a wireless device is configured to appear to be a
legitimate access point, enabling the operator to steal passwords from
legitimate users and then penetrate a wired network through a legitimate
wireless access point.
• Ad hoc networks : peer-to-peer networks between wireless computers
with no access point between them
• Nontraditional networks : Nontraditional networks and links, such as
personal network Bluetooth devices, barcode readers, and handheld
PDAs, pose a security risk in terms of both eavesdropping and
spoofing.
4
18.1 Wireless Security
5. Wireless Network Threats (2/2)
• Identity theft (MAC spoofing): This occurs when an attacker is able to
eavesdrop on network traffic and identify the MAC address of a
computer with network privileges.
• Man-in-the middle attacks: This attack involves persuading a user and
an access point to believe that they are talking to each other when in
fact the communication is going through an intermediate attacking
device. Wireless networks are particularly vulnerable to such attacks.
• Denial of service (DoS): The wireless environment lends itself to this
type of attack, because it is so easy for the attacker to direct multiple
wireless messages at the target.
• Network injection: A network injection attack targets wireless access
points that are exposed to nonfiltered network traffic, such as routing
protocol messages or network management messages. An example of
such an attack is one in which bogus reconfiguration commands are
used to affect routers and switches to degrade network performance.
5
18.1 Wireless Security
6. 6
Wireless Security Measures (1/2)
Securing Wireless Transmissions
principal threats to wireless transmission are eavesdropping, altering or
inserting messages, and disruption
• Signal-hiding techniques: Organizations can take a number of measures
to make it more difficult for an attacker to locate their wireless access
points, including turning off service set identifier (SSID) broadcasting by
wireless access points; assigning cryptic names to SSIDs; reducing
signal strength to the lowest level that still provides requisite coverage;
and locating wireless access points in the interior of the building, away
from windows and exterior walls. Greater security can be achieved by
the use of directional antennas and of signal-shielding techniques.
• Encryption: Encryption of all wireless transmission is effective against
eavesdropping to the extent that the encryption keys are secured.
18.1 Wireless Security
7. 7
Wireless Security Measures (2/2)
Securing Wireless Access Points
The main threat involving wireless access points is unauthorized access to the
network. The principal approach for preventing such access is the IEEE
802.1X standard for port-based network access control.
Securing Wireless Networks
1. Use encryption. Wireless routers are typically equipped with built-in
encryption mechanisms for router-to-router traffic.
2. Use antivirus and antispyware software, and a firewall.
3. Turn off identifier broadcasting. If a network is configured so that
authorized devices know the identity of routers, this capability can be
disabled, so as to thwart attackers.
4. Change the identifier on your router from the default.
5. Change your router’s pre-set password for administration. This is another
prudent step.
6. Allow only specific computers to access your wireless network. A router can
be configured to only communicate with approved MAC addresses.
18.1 Wireless Security
8. Security Threats (1/4)
SP 800-14 lists seven major security concerns for mobile
devices.
• Lack of Physical Security Controls
Mobile device is required to remain on premises, the user
may move the device within the organization between secure
and nonsecured locations. theft and tampering are realistic
threats.
The threat is two fold:
1) A malicious party may attempt to recover sensitive data from the device
itself
2) may use the device to gain access to the organization’s resources.
8
18.2 Mobile Device Security
9. Security Threats (2/4)
• Use of Untrusted Mobile Devices
In addition to company-issued and company-controlled
mobile devices, virtually all employees will have personal
smartphones and/or tablets. The organization must assume
that these devices are not trustworthy.
• Use of Untrusted Networks
If a mobile device is used on premises, it can connect to
organization resources over the organization’s own in-house
wireless networks.
Thus, traffic that includes an off-premises segment is
potentially susceptible to eavesdropping or man-in-the-
middle types of attacks.
9
18.2 Mobile Device Security
10. Security Threats (3/4)
• Use of Applications Created by Unknown Parties
By design, it is easy to find and install third-party
applications on mobile devices. This poses the obvious risk
of installing malicious software.
• Interaction with Other Systems
Unless an organization has control of all the devices involved
in synchronization, there is considerable risk of the
organization’s data being stored in an unsecured location,
plus the risk of the introduction of malware.
10
18.2 Mobile Device Security
11. Security Threats (4/4)
• Use of Untrusted Content
Mobile devices may access and use content that other
computing devices do not encounter..
• Use of Location Services
The GPS service, it creates security risks. An attacker can
use the location information to determine where the device
and user are located, which may be of use to the attacker.
11
18.2 Mobile Device Security
13. 13
• Station : The device is compatible with MAC and physical layer to
IEEE802.11
• Access point (AP) : Station has a function. And an object that provides
access to the distribution system over a wireless medium
• Basic service set (BSS) : Station set of all possible approaches,
including the AP and the AP
• Extended service set (ESS) : A set of two or more mutually
connected BSS in the expanded form of the BSS.
• Distribution system (DS) : BBS and the LAN and connects the system
to generate an extended service set
18.3 IEEE 802.11 Wireless LAN Overview
14. 14
• MAC protocol data unit (MPDU) : Unit for exchanging data
using a physical layer service between the two MAC entities
• MAC service data unit (MSDU) : One information unit between
MAC users
• Coordination function : Station logic function which operates
within the BBS is decided to permit the transfer and acceptor
Protocol data units (PDUs)
18.3 IEEE 802.11 Wireless LAN Overview
15. 15
IEEE Standard Protocol Model
.....
Transport Layer
Network Layer
Data Link Layer
Physical Layer
OSI 7Layer
18.3 IEEE 802.11 Wireless LAN Overview
Fig2. IEEE 802.11 Protocol Stack
17. 17
• Direct communication between the client stations in the BSS does not
occur.
• All Station within the BSS is a BSS, which is called directly transmitted
and received without passing through the AP Independent BSS (IBSS).
18.3 IEEE 802.11 Wireless LAN Overview
Fig5. IEEE 802.11 Extended Service Set
18. 18
Primary service used by stations to exchange MPDUs when
the MPDUs must traverse the DS to get from a station in one
BSS to a station in another BSS
Primary service used by stations to exchange MPDUs when
the MPDUs must traverse the DS to get from a station in one
BSS to a station in another BSS
Service enables transfer of data between a station on an
IEEE 802.11 LAN and a station on an integrated IEEE 802.x
LAN.
The term integrated refers to a wired LAN that is physically
connected to the DS and whose stations may be logically
connected to an IEEE 802.11 LAN via the integration service.
Service enables transfer of data between a station on an
IEEE 802.11 LAN and a station on an integrated IEEE 802.x
LAN.
The term integrated refers to a wired LAN that is physically
connected to the DS and whose stations may be logically
connected to an IEEE 802.11 LAN via the integration service.
18.3 IEEE 802.11 Wireless LAN Overview
19. 19
Association : Establishes an initial association between a station
and an AP. Before a station can transmit or receive frames on a
wireless LAN, its identity and address must be known. For this
purpose, a station must establish an association with an AP
within a particular BSS. The AP can then communicate this
information to other APs within the ESS to facilitate routing and
delivery of addressed frames.
Reassociation : Enables an established association to be
transferred from one AP to another, allowing a mobile station to
move from one BSS to another.
Disassociation : A notification from either a station or an AP
that an existing association is terminated. A station should give
this notification before leaving an ESS or shutting down.
However, the MAC management facility protects itself against
stations that disappear without notification.
18.3 IEEE 802.11 Wireless LAN Overview
20. 20
• Wired Equivalent Privacy (WEP) algorithm
– Provides security between the wireless LAN operated as
part of the 802.11.
• Wi-Fi Protected Access (WPA)
– Was created by the WiFi Alliance.
– 802.11i security protocols to be used in the draft version
• Robust Security Network (RSN)
– Recent 802.11i standard form
18.4 IEEE 802.11i Wireless Security
21. 21
• Authentication: Mutual recognition between the user and the AS
using the protocol and defines a temporary key generation
used between the client and the AP between the wireless link.
• Access control: Use the authentication function, will be done
through the proper message routing and key exchange. The
implementation of this feature, using a variety of authentication
protocols.
• Privacy with message integrity: Encrypting the message with
the integrity code can be confirmed that the data has not
changed the data in the MAC layer.
802.11i RSN security services
18.4 IEEE 802.11i Wireless Security
22. 22
Fig6. Elements of IEEE 802.11
CBC-MAC = Cipher Block Chaining Message Authentication Code (MAC)
CCM = Counter Mode with Cipher Block Chaining Message Authentication Code
CCMP = Counter Mode with Cipher Block Chaining MAC Protocol
TKIP = Temporal Key Integrity Protocol
Elements of RSN
18.4 IEEE 802.11i Wireless Security
24. Discovery Phases(1/3)
24
The Discovery phase determines
the technology used in the
following areas.
l Confidentiality Integrity Protocol
MPDU
l Authentication Method
l Cryptographic key management
scheme
18.4 IEEE 802.11i Wireless Security
25. 25
Encryption options are as
follows for the confidentiality
and integrity protection.
l WEP
l TKIP
l CCMP
Discovery Phases(2/3)
18.4 IEEE 802.11i Wireless Security
26. 26
MPDU exchange
l network and security features
l Open System Authentication
l Association
Discovery Phases(3/3)
18.4 IEEE 802.11i Wireless Security
27. Authentication Phases(1/2)
27
• Authentication step of performing
authentication between a STA and AS.
• Should allow an authenticated Station
will use the network.
• Station to communicate with the
network, and that we are
guaranteeing the fair.
• Certification process step is
composed of three steps: Connect to
AS.
ü EAP exchange.
ü Secure Key Delivery.
18.4 IEEE 802.11i Wireless Security
28. 28
1. Connect to AS
• Station is connected to the AS
sends a request to their AP.
• AP is a response to the received
request, and transmits the access
request to the AS.
2. EAP ( Extensible authentication
protocol) exchange
• Do the mutual authentication
between the Station and the AS.
3. Secure Key Delivery:
• The AS generates a Master
Session Key (MSK) after mutual
authentication and sent to the
Station.
• Master keys are transferred to the
Station through the AP.
Authentication Phases(2/2)
18.4 IEEE 802.11i Wireless Security
29. Key Management Phases(1/3)
29
Pre-shared key AAA Key
Pairwise master key
Pairwise transient key
EAPOL key
confirmation key
EAPOL key
Encryption key
Temporal Key
사용자 정의
Out-of-band path EAP method path
PSK AAAK or MSK
PMK
PTK
KCK KEK TK
No modification
Possible truncation
PRF(pseudo-random function)
Using HMAC-SHA-1
18.4 IEEE 802.11i Wireless Security
Fig8. Pairwise key hierarchy
30. 30
• The key management phase, various
encryption key is generated and being
distributed Station.
• Pairwise key pair are commonly used
for communication between the Station
and the AP.
• This key is dynamically generated from
a master key and limited use of time..
• The top layer has two kinds of keys are
present.
ü PSK is AP and Station shared
key to the dictionary..
ü MSK is generated during the
authentication phase is different
from the generation method
according to the authentication
protocol.
Key Management Phases(2/3)
18.4 IEEE 802.11i Wireless Security
31. 31
• Pairwise master key is generated in the
following manner.
ü PSK is used, generates a PMK with
PSK
ü MSK Gaga used if the PMK is cut
using some MSK.
• After the end of the final stage of certification
is the AP and Station to share the PMK.
Key Management Phases(3/3)
18.4 IEEE 802.11i Wireless Security
• PMK is finished and after mutual
authentication between the AP Station is
used to generate a PTK is used for
communication.
• PTK = HMAC( PMK ||the MAC addresses of
the STA and AP|| nonces ).
33. 33
18.4 IEEE 802.11i Wireless Security
Fig10. IEEE 802.11i Keys for Data Confidentiality and Integrity Protocols
34. 34
18.4 IEEE 802.11i Wireless Security
Fig10. IEEE 802.11i Phases of Operation: Four-Way Handshake and Group Key Handshake
35. 35
Protected Data Transfer Phases
The IEEE 802.11i defines TKIP and CCMP two systems to deliver MPDU.
1. TKIP
• Message integrity : Then after the data field by attaching a Message
integrity code (MIC) to ensure integrity. MIC is inputted with the
destination MAC address, a data field and the key value through the
Michael algorithm produces a 64-bit result value.
• Data Confidentiality: The MPDU encrypted data and MIC as RC4 to
guarantee confidentiality.
2. CCMP
• Message integrity : Use the Cipher Block Chaining Authentication Code.
• Data Confidentiality : The use of 128-bit AES encryption.
18.4 IEEE 802.11i Wireless Security