Cryptographic Security Techniques for Wireless ... - Semantic Scholar

8 downloads 338532 Views 1MB Size Report
providing network access to mobile or nomadic computing devices. ... being paid for a particular call because it has much less assurance about .... 3. UIM/Terminal calculates. - AUTHN in the same way as Network operator did to authenticate ...
Cryptographic Security Techniques for Wireless Networks D a n a i P a t i y o o t , S. J. S h e p h e r d Telecommunication Research Centre Department Of Electronic & Electrical Engineering University of Bradford, West Yorkshire B D 7 1DP, U K Tel. + 4 4 1274 7 3 3 4 6 6 E x t . 4 0 8 5 E - m a i l : [email protected]. uk Keyword:

Cryptographic, Security, Wireless

Abstract

information approaches that put on the P.S.T.N., users are beginning to demand at least an equivalent level of security. This is hampered by the fundamental property of radio communication; transmissions being able to be easily received by parties other than for which a transmission is intended. There have also been recent increases in the availability of sophisticated radio receivers and microcomputers. Thus, unless security is provided information providers, carriers, and users will face new threats. In the absence of countermeasures, the user enjoys less privacy, as is demonstrated by the fact that eavesdropping prevails on wireless channels on a scale never heard of in context of wire-line communications. Further, the carrier is less sure of being paid for a particular call because it has much less assurance about the authenticity of the caller, as evidenced by the heavy losses due to fraud incurred by the current cellular providers. As we upgrade the service to provide data communications, we much pay attention not only to user's privacy but also to data integrity issues. When communications are moved to a shared media (radio communications), more than one person can transit and listen on the media. When the media is shared, privacy and authentication are lost unless some method is established to regain it. Cryptography provides the mean to regain control over privacy and authentication. The cryptographic design should reduce theft of the Personal Terminal (PT) by making reuse of a stolen PT difficult. Even if the PT is registered to a new legitimate account, the use of the stolen terminal should be stopped. The

This paper deals with security techniques for wireless Networks. The work presented is based on a review of literature regarding current and future wireless security networks systems. The aspects discussed in this paper included the choices of cryptographic algorithms such as protocols for key management and authentication. Various conclusions are drawn from existing security networks and proposed in new wireless ATM network security. Also a proposal for future research into security techniques for wireless ATM networks included. Introduction Wireless networks are being driven by the need for providing network access to mobile or nomadic computing devices. Although the need for wireless access to a network is evident, new problems are inherent in the wireless medium itself. Specially, the wireless medium introduces new opportunities for eavesdropping on wireless data communications. Anyone with an appropriate wireless receiver can eavesdrop, and this kind of eavesdropping is virtually undetectable. Furthermore, since the wireless medium cannot contained by the usual physical constraints of walls and doors, active intrusions through the wireless medium are also made easier. The importance of secure communications in wireless is that as the reliance put on these systems to communicate important or confidential

36

Second generation digital of cordless telephone such as DECT, IS-41. Third generation of digital cordless telephone such as UMTS. Wireless indoor network such as wireless LAN. UPT while access through mobile terminals. Mobile data such as CDPD. Details of these networks are shown in section 2.1.

cryptographic design should also reduce theft of services by making reuse of a stolen PT unique information difficult. When solving security problems introduced by radio channels, it is important not to do so at the cost of increased vulnerability on the network side. A comprehensive solution for user privacy that ensure end-to-end encryption so that users' privacy is maintained not only on the radio channels against third parties, but also throughout the network. This must require a fine act of balance between the users' right for privacy and law enforcement agencies' ability to trace criminals. Provision of privacy and authentication hinges on the key agreement and authentication protocol. Such protocols can employ private-key and/or public-key cryptographic techniques. Various levels of security are required depending on the sensitivity of the data transmitted. Various architectures of wireless networks are presented in this paper and each of them has their own idea of protecting their networks. Section one mentioned the need for wireless communication security. Section two demonstrates the current existing security for wireless networks. Section three is the proposal of security for wireless ATM network. Recommendations for future research into wireless ATM security is laid out in Section four. Conclusion is made in Section five.

1. The Need Security

for

Wireless

2.1 UMTS Security 2.1.1 Security Requirements The main security requirements of Advanced Security for Personal Communications Technologies (ASPECT) are to study the following topics [3]: • Migration of security from existing mobile system to UMTS. • Fraud detection and management in UMTS. • Trust Third Parties (TTP) for end-to-end security services in UMTS. • Capabilities of future User Identity Modules (UIMs). * Security and integrity of billing in UMTS. 2.1.2 Security Mechanisms Current detailed proposal for authentication mechanism is as follows: 1. A challenge-response using symmetric key techniques (Royal Holloway)

Communications

[UIM/Terminal]

1. To protect user data. When relayed over air interface, user data need to be protected from eavesdropping. 2. To protect signalling data. It should be protected from eavesdropping. 3. To authenticate the user. It is essential to have an effective means to verify subscriber toward the network to ensure correct billing.

M 1

]Network operator I

TMUI.,

RNDu

RND., TMUl.'xorCIPH., AUTH. 4

M3

.

AUTHu

M2

i

Figure 1 Royal Holloway, current registrations 1 1.1 Description of the protocol The mechanism consists of three messages exchanged between the user and the network

2. Current Wireless Security Networks There are currently several wireless security networks at various stages of development and implementation throughout the world. Such as second generation of digital cellular telephone such as GSM.

Current Registrations : Where the user is already register with the network operator where it is currently roaming. The user and the network operator already share a TMUIN and KNU.

37

6.

Line subscriber (Lsb). Person who owns the access or terminal to a normal network, which passes UPT communications. 7. Other Party (Otp). Person who calls a UPT user or a person who is called by a UPT user. 8. lntruder (lnO. Any party who threatens the UPT service or related features. Intruder can play two different roles: 1) actively masquerades as one of the communication parties and 2) passively reads information. There is a great variety of relationships between the different UPT parties. All of the relationship has to be controlled by appropriate agreements that take the different legal situations in the various countries into consideration. A diagrammatic representation of the relationships of the parties involved in UPT in given in Figure. The intruder is not specifically placed within the diagram as the relationship depends purely on the type of intrusion perpetrated. Figure 2 shows all the involved parties in a UPT environment.

operator. The service provider is not involved. The three messages are indicated in the Figure 1 with M1, M2 and M3.

Proceed as followed: 1. The UIM/Terminal sends message MI: TMUI~ and RNDu to the Network operator. 2. The network operator sends M2: RNDN, TMUIN'xorCIPHN and AUTHN to the UIM/Terminal, by calculating: - AUTHN = A d K ~ , RND~ II RNDo II TMUb,') where ~ and TMUIN' generated by network operator. - CIPHN = Cu(KNu, RNDu) Network operator at the same time calculates: - AUTHu = Au(K~, RNDu II I~'~N) 3. UIM/Terminal calculates - AUTHN in the same way as Network operator did to authenticate Network operator. - AUTHu in the same way as Network operator did to authenticate Network operator and sends it, M3, to Network operator to authenticate itself. 4. Upon receiving the AUTHu, Network operator compares the received AUTHu with the previously calculated one. 2.2 U P T Security

By using a universal number, Universal Personal Telecommunication (UPT) enables an enhanced access to multiple networks, wired and wireless, at any terminal. A high level of security is necessary condition for a service like UPT [1]. 2.2.1 Parties Involved UPT parties or subjects are assumed to be persons or company representatives that can be held responsible for actions within the UPT environment in a legal sense, or that are affected by the introduction of the UPT service. Parties which could be involved in or related to the UPT service are listed below:

1. 2. 3. 4. 5.

F~gure 2 Model of UPT parties and their relations 2.2.2 Threats to the service 2.2.2.1. Subscription Process The subscription process includes both subscription and de-subscription to the UPT service. The threats that might occur to the subscription process:

UPT user (Uus). UPT subscriber (Usb). UPT service provider (Usp). UPT network operator (Uop). Network operator (Nop). Public network operator, used to pass on UPT communications

Unauthorised modification of subscription by the user. A user could modify subscription data in the service profile without agreement with his subscriber (and may be service provider).

38

Unauthorised modification of subscription data by the subscriber. UPT subscriber could modify the subscriber data without authorisation. Fake subscription. An intruder could masquerade as a subscriber to a UPT service provider, probably with charging consequences. This would cover the case where a false name and address are given for billing, for instance. Unauthorised de-subscription. A subscription could be terminated by the UPT service provider (or an intruder) without giving notice to UPT subscriber or UPT user.

2.2.2.3. Threats to the UPT service providers systems All systems applied or implemented by UPT service providers face a number of threats resulting from any internal systems security violations, like: unintended or hidden functionality insufficient reliability that are caused by means of: local implementation, local operation, the domain specific security policy -

-

2.2.2.4. Threats to inter-network communication Threats to inter-networking communication are as follows: Network connection to the wrong database. An unintentional situation occurs when a control point (CP) is not connected to the right database (SDP). In this case, information from other persons could be disclosed. Masquerading UPT entities. An intruder could impersonate a UPT entity (e.g. SCF, SDF) for illegal direction or receipt of calls via s UPT network. Modification, deletion and replay of UPT "signalling data". An intruder could change "signalling" information in order to disturb the service or to manipulate the charging information. Eavesdropping of UPT "signalling" data. An intruder could monitor signalling data to get information, e.g. about the location of subscribers or about information internal to the communicating UPT service providers. - Masquerading originator, repudiation, modification, deletion and replay of files and messages. An intruder could initiate one of the above actions to the intruder's, advantage especially for the manipulation of charging data. - Eavesdropping of files and messages. An intruder could monitor files and messages, e.g. to get information about a subscriber's location or to disclose confidential database information of UPT service providers.

2.2.2.2. Threats to personal data integrity Data that will lead to the identification of an individual or that presents information about a known individual is defined to be personal data. Threatened subjects. Personal data is related to human being that take part in the UPT service, as there are; UPT subscribers, UPT users, third parties. - Identification of sensitive data within UPT. The identification of personal data to be processed within UPT is a record containing all information related to the user that is stored permanently or temporarily within UPT systems and terminals. - Identification of sensitive data processing functions. Within the UPT service the following general data processing functions will be applied: data transformation, data storing, data transmission. Location of sensitive data processing functions. The locations of sensitive data processing within UPT are: all UPT service data bases where personal data is stored, all UPT terminal data bases where personal data is stored, links between UPT subscriber/user and UPT service provider, links between UPT service provider and UPT service provider, links between UPT service provider and network provider, links between UPT operator and the local UPT systems. Identification of threats to personal data integrity. Threats to personal data integrity will occur when a profile of one's party's personal behaviour concerning: the circumstances of his business, his personal time management, his temporary location.

2.2.3 Security Requirements The important requirements are:

39

individual

data

protection

part of counteracting the follow threats: masquerading as a UPT user, masquerading as a UPT subscriber, manipulation of user's service profile by masquerading as a subscriber, 3. Authentication of the UPT service provider to the UPT user/UPT subscriber. This security feature will counteract or be an important part of counteracting of impersonating of a UPT service provider. 4. Access control to UPT access device. Two features are required for the access control to sensitive information in the UPT access device: authentication of user/owner towards the device and strong protection. These features will counter threat of unauthorised use of device. 5. Access control system to service profile information. For the controlled access to the service profile data bases there is a need for an access control system which can cover the threats of: masquerading as a UPT subscriber, manipulation of user's service profile by masquerading as a subscriber, masquerading as a UPT user, manipulation of user's service profile by a masquerading as a UPT user. 6. Secure management o f the subscription process. There should be sound and stringent for administration of subscriptions and access control to subscription database systems. These features will cover these threats: unauthorised modification of subscription by the user, unauthorised modification of subscription data by the subscriber, unauthorised de-subscription, eavesdropping of information during subscription, denial of service by device malfunction, mis-delivery of UPT devices.

1) Call forwarding services are only permitted when the third party has agreed and the calling part is informed during call establishment. 2) Call forwarding services can be limited to calling parties identification by request of the third party. 3) The receipt of incoming calls may be limited by the called party to the condition of a calling line identification. 4) It should be possible to block the calling line identification on a case by case basis. 5) The contents of calls may only be made accessible to third parties if all parties concerned have agreed (e.g., conference calls) 6) User information may only be stored during the time of transmission. 7) To guarantee the users, subscribers and third parties self determination concerning their personal data, any collection, processing and storage of personal data; is restricted to be used only directly for the provision of the service. is restricted to the shortest time range possible. must be given in advance to the shortest time range possible. 8) Personal data has to be kept confidential and must be given to other parties (e.g. service providers) without the subscribers' prior consent. 9) The collection or filtering of subscribers electronic profiles about their temporary location, personal and business circumstances etc. is not permitted. 2.2.4 Security Features

2.2.5 Security architectures Some features are defined to serve as countermeasures to several threats identified as follows: 1. Activity monitoring. This is the real-time monitoring of events associated with a user's account including some or all of: authentication, call activity, charging indications. The pattern of a user's activity may indicate that an account is subject to abuse, ff strong user authentication is not used, then activity monitoring is the only fast acting protection that a UPT user and subscriber and their UPT service provider have. 2. Authentication o f UPT user/UPT subscriber. This security feature will counteract or be an important

2.2.5.1 Authentication Exchange Mechanisms There exist many mechanisms for authentication. The choice depends on the technical possibilities on one hand, and on the required security level on the other hands. UPT systems proposed two systems to deal with these authentication mechanisms: One pass authentication using variable authentication code Multiple pass authentication using challenge and response protocol -

1. One pass authentication mechanisms

40

In order to prevent replay, the one pass authentication protocol can use variable Authentication Codes (AC). This ACs should be verifiable by the UPT system. They have to be nonpredictable and non-replayable. This procedure requires the use of a UPT access device. A fixed local PIN should authenticate the user to his device. The authentication data might be time stamps, sequence numbers, random numbers, or a combination of these possibilities. For authentication of the user identity, they are one way enciphered, and the result called variable Authentication Code (AC), is sent together with parts of the cleartext to the UPT system, where verification will be done. The data flow is illustrated in Figure 3. NOTE: The authentication may be concatenated with information data (e.g. the UPT number or UPI, respectively, the "LPIN" id checked in the system, and user commands) before enciphering, in order to achieve data integrity. OPT USER

a) Mechanisms without trusted third party The mechanism proposed is described in Figure 4. It can also be used for authentication of the system to the device and hence mutual authentication. [1]r,

UPT Access Device (D) Rs VDS f KDS

= = = =

sU~sTem(S)

(2} V~

random number f[KDS ; rs) cryptological function secret key

Figure 4 Two pass authentication with random number (1) The UPT system S sends a random number r, to the user's UPT access device D. (2) D encrypts r, by means of a cryptological function f and a secret key KDS, agreed (at subscription time) between D and S, and send it to S. Then, S checks if D has used the correct key and the correct random number.

Device holder verification

I Local access control I Use#s 1 authentication data (NOTE J

~

¢1 [ one-w J algorithm Cleartexl data

b) Mechanisms with trusted third party The concept of a trusted third party makes authentication possible without sharing a secret key between the concerned entities prior to the authentication process. These entities have, however to share each a common secret key with trusted thir( party. The proposed mechanism is shown in Figure 5.

UPT ACESS DEk4OE

variable authentication code (AC]

Trusted Third Party [TI

authsntication data (NOTE)

+ I ~T Cpmpadson

/

4'

UPT

O?~/th~/m ~[~

SYS'i'EM

(1)ur'IpT[2]V~s I UPT Access Device

[31[4] V~Ov~ System (S]

Cpmparlson r0 = r a n d o m n u m b e r V,~ = like, ; r., KDs, fiKr~ ; r,, KDs)] = F (Km ; r,, Kr~ ,VsD]

Figure 3 Variable AC

V,o = flK,o ; r,, Ko,]

Vo, = f(Kt~ ; r.] f = cryptological function] K~ = secret keys

2. Multiple pass authentication mechanisms These protocols run between the UPT access device (e.g. smart card), the UPT system, and possibly a trust Third Party (TP). Additionally, a local PIN should authenticate the UPT user to his UPT access device.

Figure 5 Four pass authentication (1) The UPT system S sends a random number r, to the trusted third party T.

41

(2) T generates a session key KDS and encrypts it together with r, by means of a cryptological function f and a secret key KTD, agreed (at subscription time) between T and D. Then, T encrypts the result VSD together with r, and KDs by means of f and a secret key KTs, agreed between T and S, and sends it to S. Then S checks if T has used the correct key ITs and the correct random number rs. (3) S sends VSDto D. (4) D decrypts VSD and gets rs and KDS. Then D sends VDS = f(KDs ; r,) to S. Finally, S checks if D has the correct key and the correct random number.

2.3.2 Authentication Protocol A Interface

M-ES (M)

I Interface

MSF (S)

MHF (H)

NEI, SHR, : lIE

1) • g , prime p, g~ moo p EKE: ESH 2) g"mod ;3, E~NEI,-- SHR,) RDR

3}

RDC

4)

NEI, SHR,

ISC

5) • E~(SHR,÷,)

• (Accept, SHR,,,1 or [Refuse)

E~ is RC-4 using Key K~ negotiated during the Diffie-Hellman Key Exchange K~ = g'~modp

Figure 7 The current M-ES authentication protocol

2.3 CDPD Security This following authentication protocol is performed during call set up and hand-offs and can be seen in Figure 7: 1. An M-ES is initialised when the MD-IS performing the MHF service provides it with a unique NEI. The MHF also provides SHR, which is tuple , where ARN is a 64-bit binary string, and ASN is a 16- bit binary string. 2. In the first transmission, S sends to M a prime p, generator g mod p, and gr mod p where r e {0 ..... p1}. 3. Next mobile M authenticates itself to its home H and register its current location. M transmits to S EMs(NEI, SHRi), and gr mod p where r' e {0,...,p-i} and SHRi is the shared historical record at time i. Now M and S have private encryption KMS = gr.r' mod p when r and r' are chosen at random. 4. S then sends H the tuple, (NEI, SHRi) for verifying carried by RDR. 5. The confirmation or denial of service transmits back to M through S using RDC and ISC. On confirmation H provides M with new ARN and the ASN is incremented by one. In the Figure, it is denoted a s S H R i + 1 .

In a CDPD network, the airlink is conceivably the most susceptible to hackers. The airlink is essentially a virtual wire into customer's network and must be protected. 2.3.1 Security Architecture

F-ES

rJ~T]

F~,~ ~od ~,~r~ I ~

~

IP

M-ES Mobileend system

j•m

MSF MobileServingFunction

MHF

MobileHomeFunclion

Figure 6 The CDPD network M-ES which is basically a computer with a wireless modem that accesses the CDPD network through air link (An interface). Each M-ES is assigned one or more unique NEI. The network entities that perform the network routing function are MHF and MSF. One point to be noticed is that, message flows over the air link between M-ES and MSF are encrypted. Message flows between MSF and MHF are neither encrypted nor cryptographically authenticated. The security architecture is shown in Figure 6, [4].

2.4 GSM Security A radio accessed network is inherently less secure than a fixed network. This comes from possibility to listen to and to emit radio waves from anywhere, without tampering with operator's equipment.

42

2.4.1 Purpose of Security

MS SIM

The motivations for security in cellular telecommunications systems are to secure conversations and signalling data from interception as well as to prevent cellular telephone fraud. The objectives of security for GSM are: The operator can be sure that bills sent to the right people, and that the services cannot compromised. To make the radio path as secure as the fixed network, which implies anonymity and confidentiality to protect against eavesdropping. To have strong authentication, to protect the operator against fraud. To prevent operators from compromising each others' security whether inadvertently or because of competitive pressures. Security implementation must not significantly add to the delay of the initial call set up or subsequent communication. Security implementation must not increase bandwidth of the channel. Security implementation must not allow for increased error rates, or error propagation. Security implementation must not add excessive complexity to the rest of the system. Security implementation must be cost effective.

AUC HLR VLR MSC EIR

A5 A3, AS, IMSI, Ki, TMSI/LAI2, KdCKSN3 A3, A8, IMSI, Ki Sets of IMSI, RAND, SRES, K~ Sets of IMSI, RAND, SRES, K, A5, TMSI/IMSI, Kc IMEI

-

Mobile

Air Interface

FixedNetwork Challenge

(RAND}

I~se ISRES} ~~nK~ K

-

Plalntext--~4

ENCRYPTED DATA (Cipheriexl)

text

Figure 9 Encryption for GSM

-

-

2.4.3 Security provision

-

Security is introduced in the GSM-system to avoid misusing of the network and to protect the privacy of the subscribers. For these reasons the following mechanisms are defined: • Subscriber ldentity Authentication. To avoid the misuse of identities of authorized subscribers, an authentication mechanism is defined. Authentication mechanism may be started each time a subscriber accesses the system. The subscriber has to prove his identity to the system before any transaction is possible. Authentication is performed by a challenge and response mechanism. A random challenge (RAND) is issued to the mobile by the network. Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (K~), and sends a response (SRES) back. The network operator can check that, given the key to the mobile, the response to the challenge is correct by performing the same SRES process. If both fit then the authentication is successful and the

-

2.4.2 Architecture

/ ..~A3,A8,IMSI,K

Figure 8 Distribution of Security Features in the GSM Network Figure 8 demonstrates the distribution of security information among the three elements; firstly, the SIM. Secondly, the GSM handset or M S . Thirdly, GSM networks consist of MSC, AUC, and HLR or VLR. The details of GSM-entities which contain security related information are:

2 LAI: LAI have to accompanied TMSI if MS is using outside given location area. 3 CKSN: This number is related to the valid Y'L and is meant to avoid the use of a wrong key.

43

3. If MS has to show IMSI for reason such as register failures then risk from eavesdropping can

MS can continue. Otherwise the connection is released with the indication to the MS that authentication was not successful. If suspicious of TMSI number occurred then MS is requested to announce its IMSI. If the authentication fails repeatedly, the VLR requests the IMEI of that MS. • Subscriber Identity Confidentiality. To avoid the possibility for an eavesdropper to identify which mobile subscriber is using a certain connection on the radiopath, a temporary identity is allocated to a subscriber (TMSI). This identity is a local identity and is only valid in a given location area. Once a TMSI has been used a new TMSI is calculated by the HLR/VLR and sent in encrypted form to the MS. • Signalling Data Confidentiality. The signalling data flow is encrypted and decrypted using ciphering A5 and ciphering Key K~. • User Data Confidentiality. The user data flow is encrypted and decrypted using ciphering A5 and ciphering Key K~. Those mechanisms mentioned above can be seen in Figure 9.

OCCUr.

2.5 DECT SECURITY

2.5.1 Security services The following is the security services provided in the DECT system [5]: 1) Authentication o f a PT. This is an FT initiated service which enables an FT to authenticate a PT making or receiving a call through it. This service is invoked at the beginning of a call. It may be re-invoked at any time during a call. It is to provide a cryptographically secure method of identifying subscriptions for billing purposes. Also preventing illicit access to private base stations in order to avoid charge or for reasons of anonymity. 2) Authentication o f an FT. This is a PT initiated service which enables a PT to authenticate an FT through which it is making or receiving a call. This service is invoked at the beginning of a call, and may be re-invoked at nay time during a call. It is introduced to counter the threats of: unauthorised loading of information into a PP which may render the PP unusable, FP impersonation in order to bypass privacy. 3) Mutual authentication. This service enables a PT and an FT, through which a call is connected, to authenticate each other. 4) Data Confidentiality. This service provides for the confidentiality of user data and certain control data transmitted between a PT and an FT. The service is provided only over the CI. It does not provide any cryptographic protection for data passed through the fixed networks. 5) User authentication. The user authentication service allows an FT to authenticate a user of a PT by checking a User Personal Identity (UPI) value associated with that user. The user authentication service is initiated by the FT. The UPI is entered into the PT by the user whenever the user authentication is invoked. It is invoked at the beginning of a call. It may be re-voked at any time during a call.

2.4.4 Advantage 1. The subscriber's anonymity is ensure through the use of temporary identification numbers, TMSI. It is only valid in a certain area. When entering another area, a new TMSI is allocated to the subscriber. 2. The confidentiality of the communication on the radio link is performed by the application of encryption algorithms. 3. Authentication can not be traced, since RAND will be changed every time authentication request occurred. 4. The calculation of SRES is proceeded within the SIM. So Ki is not needed outside S1M. 2.4.5 Disadvantage 1. The scheme is of conventional centralised security design involving home domain which generates additional requirement in processing time and cost. It might not suitable or efficiency or logical for future growth of mobile communications services for set up of an integrated global mobile network. 2. Most users have perception that encryption is provide within the whole "GSM network domain", although it is only applicable to the radio channel.

2.5.2 Security Architecture

44

Figure 11 Authentication of PT ~hent~ation UNq128] [ ~ e c l i o n

The service provided using a cryptographic challenge-response mechanism, shown in Figure 11. The FT issues a challenge by sending RS and RAND_F to the PT, which responds by returning the result of a computation performed, RES 1, using the challenge, RAND_F, and an authentication key associated with the PT. The FT compares the response from the PT with the value it calculated, XRES1, and deems the authentication to be successful if the two values agree. In this way the PT is authenticated by demonstrating knowledge of the authentication key associated with it.

UPI[e.g;281

U~[128] ~ 2 AC[e.g.16-32] 81

Aulhenlicalioa

RS[641

PP ~stnal~olrPPr ~ proc~e~

~

r~,Jo~1641

CK1641 SCKo' o " ~ KSGIKey Aulhenlic~ca ~ S t r e o m ofFP13[ocesse~ KeyStreamgeneotion RES2[32] tc~enc~fOttoni~oc~

SCK]641

EV[35] i'~JDP1 6 4 }

~

C

RESl132]

~

2.5.3.2 Authentication of an FT

Authentication Code Initialisation Value obtained from frame counter Cipher Key Static Cipher Key Session Authentication Key Reverse Authentication Key Value generated and transmitted by FP Value generated and transmitted by PP Value computed and transmitted by PP Value computed and transmitted by FP Value transmitted by FP in authentication protocol User Authentication Key User Personal Identity Derived Cipher Key Authentication Key Authentication Processes Authentication Processes Authentication Key Stream Processes Key Stream Generator

AC IV CK SCK Ks Ks' RAND F RAND P

Rt~S 1 RES 2 RS

FT

PT

Generate: RAND P

RS,RAND_F RES1

obtain: RS,RES2

compare: XRES2 compare: RES2with XRES2

Figure 12 Authentication of FT

Figure 10 shows an overview of DECT Security processes.

The service is provided using a cryptographic challenge-response mechanism, seen in Figure 12. The PT sends a challenge, RANDP, to the FT, which responds by returning the result, RES2, of a computation performed using the challenge and an authentication key associated with the PT and RS. The PT computes the expected value for the computation, and deems the authentication to be successful if this value agrees with the one received from the FT. In this way, the FT is authenticated by demonstrating that it can provide the result of a computation that depends upon knowledge of an authentication key associated with the challenge PT.

2.5.3 Security mechanisms

2.6 Wireless LAN Security

2.5.3.1 Authentication of a PT

2.6.1 Principles of Operation

UAK UPI DCK K A11, A12 A21, A22 B1, B2 KSG

Figure 10 Overview of DECT security processes

Wireless LAN systems are made up of a cell or a group of cells. Each cell contains several wireless station adapters (or workstations or mobile notebooks) and an access point (or mobile portables), which controls the cell. The access point is usually connected to an existing backbone, and

FT

PT

RS, RAND F

obtain: RS, RAND_F,XRE×I

4

Compute: RES1

RES1

p,

compare: RESlwith XRES1

45

manages all traffic within the cell. Station adapters within the coverage area of an access point (i.e. the cell) can communicate among themselves, or gain access to wired LAN resources through the access point. All station adapters associated with an access point are synchronised with it by both frequency and clock, so they can transmit and receive data to and from the access point. The same rule applies for interception- in order for someone to intercept the data he must be within the coverage area of the cell and must be synchronised with the access point.

2) 3)

set to a certain frequency after bought. With Frequency Hopping systems, the frequency of the carrier wave is continuously changing. Password Control. Passwords should be under tight control and changed frequently. Data Encryption. Addition of the encryption on the network can be either hardware or software. The data in the packets is scrambled before it is send over the network. Only stations that have the correct decryption key can unscramble and read the data.

2.6.2 Risks to the Network

2.6.5 Security Practical Methods

Wireless LAN is subjected to substantial security risks and issues, namely: 1. Attacks from within the network's user community. By far, the biggest threat to the network comes from within the network itself. Without the proper security measures in place, any registered user of the network can access data that he or she no business accessing. Disgruntled current and ex-employees have been known to read, distribute, and even alter, valuable company data files. Network administrators need to have the right security products for their environment, the proper security levels set for their users, and an on-going way to audit the effectiveness of the security process. 2. Unauthorised users gaining access. 3. Eavesdropping from outside the network. Perhaps the most difficult threat to detect is someone just looking at the data packets.

1.

2.

2.6.3 Security Features Since the data security consideration impact the entire network architecture, features of security that should offer to deter the threats are: - User authentication. - Authorisation. 2.6.4 Security Theory Methods Methods that can be used to secure communication in wireless LAN are as follows: 1) Spread Spectrum. Either Direct Sequence or Frequency Hopping can be used. Direct sequence works in a pre-defined constant frequency, i.e. access point or station adapter is

46

Wire Equivalency Privacy (WEP). IEEE wireless standards organisation created what was so called "WEP". This algorithm, based on RSA RC4, is prevents eavesdropping whereby a pseudo-random number is initialised by a shared secret key. Strong to brute force attack and selfsynchronising are two of the reason why WEP was chosen for wireless LAN. Extended Service Set 1D (ESSID). This method was proposed by in BreezeNET Pro Series. It is a password that configured in the access point. Only station adapters configured with the same ESSID can synchronise with the access point and join the cell, so if an attacker doesn't have your ESSID number he cannot join the network. If someone manages to steal the number, things to do is only change the ESSID of the access points and station adapters that have been affected. Changing ESSID is done by either connecting each unit to a local monitor, or by SNMP remote network management, all SNMP settings are protected by SET and GET communities. One of the good feature of ESSID is the ability to set your own proprietary hopping pattern. In frequency Hopping systems, when a station adapter joins an access point (if it is configured with the same ESSID) the access point tells it the number of the hopping pattern used so it can tune itself to the same one and synchronise with the access point. The Hopping Pattern is a list containing the frequencies (channels) of operation in the specific order of the hopping. If a unit downloads with a proprietary hopping pattern is stolen, different patterns can be download and then network can

continue to work. The number of possible patterns is almost infinite. 2.6.6 Security Architecture

1) University of California at Berkeley The architecture developed there, by Vaduvur Bharghavan, is a mobile computing environment consisting of indoor wireless nanocells, supported by a wired backbone network. The computers in the environment are static workstations or mobile notebooks. Each static computer has a wired network interface, and each mobile computer has a wireless network interface. Some special static computersbase stations- have both wired and wireless network interfaces, and serve to provide network connectivity to mobile computers. A mobile computer can achieve network connectivity only by communicating with a base station; mobile computers are prohibited from communicating with each other. The geographical region over which a base station provides connectivity is called its cell. The wireless medium is a single channel near-field radio with a bandwidth of 256 kbps and range of about 30 feet. Each mobile computer has a home computer on wired backbone network. A home computer is trusted fully about any information pertaining to its mobile computer. Also, home computers and base stations are considered to be trusted special machines. Detail of mechanisms can be read from [6]. The architecture is shown below in Figure 13. < -. > Logical Connection

This mechanism was proposed by Ashar Aziz. It intends to provide both the privacy and the authenticity of communicating parties. The details can be seen in Figure 14 including three messages stated below [7]: Message # 1. Mobile --) Base: {Cert_Mobile, CHI, List of SKCSs} Message #2. Base "-)Mobile: {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS, Sig{Priv_Base,{E(Pub_Mobile, RN1), ChosenSKCS, CH1, List of SKCSs}}} Message#3. Mobile --) Base: {E(Pub_Base,RN2), Sig{Priv_Mobile, {E(Pub_Base, RN2), E(Pub_Mobile, RN 1) }}} Mobile

/Mobile certificate 1 .

"--f Challenge to base]-II~ / Listof SKCS |

Challenge to Mobile ,~Mobile public key ~ ~ . Basecertificate Random # 1 Chosen SKCs Challenge to base Listof SKCS Basesignature --~Basechallenge response Basepublic key Random #1 cha~lleng~e ~ Random #2 1~IP ~ ~]__ Mobile Mobile signaturei response Figure 14 networks

between Home and Mobile

Secure protocol for wireless LAN

2.7 IS-41 Security

WAN

2.7.1 Security Architecture

~"(~ell Mobile .. Base station Computer

e Station

..~Cell Figure 13 Mobile Computing Environment

2) Ashar Aziz

47

Base

systems support roaming subscribers be transporting SSD from HLR to VLR. Knowledge of SSD enables the VLR to perform autonomous authentication of the user because the challenges and responses can be derived locally.

en,v S" ' A-key to user

l

~ ~ Storeuser U secret(&key)then(SSD}

Access control 1 IS-41~

User/HLRderivesharedsecretdata (SSD] from "A-keY',storeSSD

1

Figure 15 Privacy and Authentication of IS-41

I

Figure 17 Authentication and Key Agreement protocols for IS-41: secret key systems Figure 17 illustrates simplified call flow models for Authentication and Key Agreement in IS-41-based systems. The goals are to assure the serving network that the hanset is entitled to service and to develop a set of cipher bits for protection of user traffic over the RF link. In an IS-41-style network, a single 32bit "global" challenge is generated at frequent intervals and broadcast throughout the service area on a system information channel. Handsets that attempt a system access will compute an 18-bit authentication response by means of an authentication algorithm operating on their individual SSDs and the current global challenge. The access request package concatenates the registration/call set up information with the user's authentication response and call count value. For a registration, the response (and challenge) are sent to the home network for verification. If the handsets is found to be authentic, SSD will be transported to the serving network along with other pertinent user data. During a call setup, receipt of the user's identity triggers a local data base lookup at the serving network to retrieve his SSD and call count. The authentication response is then verified when the serving network confirms that the retrieved SSD/global challenge combination can be applied to the authentication algorithm to produce the same response as that received from the handset. In addition, the call count is checked for accuracy. Further processing of the SSD/global challenge at

Preparationof user-specificdatafor accesscontrol

I

Deveop crvpto keV • ~ncrypted co nnectio~ ~--J

In the United states, IS-41-based digital wireless telephone system, user enters a security parameter called "A-key" into his handset via keypad. This technique begins when the service provider sends the 64-bit A-key to the user in a confidential manner, such as through the U.S. mail. This direct link between the user and the service provider is intended to bypass the service shop, which can be a source of fraud through either intentional or careless mishandling of security information. It is also necessary that the service provider store the user's A-key at the "home network". All the process mentioned can be seen in Figure 15. The A-key never leaves the "home network", just as Ki never leaves its GSM "home" network.

Userroams

GIobal, i (broadcast)challenge Setup requestwith embedded respons~

IS-41 Per-registration userdala: SSD

UserandVLRcan nowperformauthenticationand keyagreement Figure 16 Roaming support: secret key systems The process of access control in a roaming situation is depicted in Figure 16. A handset shown on the left side of the figure has roamed from its home network, served by its HLR, to another network, where it will be served by VLR. An authentication will be performed upon handset registration with the VLR. One flow of information is shown from HLR to VLR in order to support authentication. IS-41 style

48

both the handset and the local network then produces cipher for the protection of user traffic [8]. 3. Wireless ATM Security

This new proposal is adapted from Carlsen to be able to use it with wireless ATM networks, at the same time eliminate the weakness of the existing Carlsen mechanism.

3.1 Wireless ATM Network Security Architecture

3.2.1 Prerequisites on the Protocol 1. Only WAT and WAAS know each other secret key, KAc. 2. Only Network and WAAS know each other secret key, KBo 3. Private key between WAT and network, KAB.will be provided by WAAS. 3.2.2 Description of the Protocol

W A T (A)

/~"~"~

/

:

NeBvork (B)

WAAS (C)

E,~(N.A)

ATMradiolink

QEk~.((N,,B,E~(NA,A}) D'

®11E~[(N,,N, K,~,A E~c(N N,,