Introduction to Network Security - Missouri...

© Egemen K. Çetinkaya

Introduction to Network Security Missouri S&T University CPE 5420

Link Layer Security

Egemen K. Çetinkaya

Department of Electrical & Computer Engineering

Missouri University of Science and Technology

[email protected]

http://web.mst.edu/~cetinkayae/teaching/CPE5420Fall2016

21 October 2016 rev. 16.0 © 2014–2016 Egemen K. Çetinkaya


Link Layer Security Outline

• Background

• Attacks

• Wireless security

MST CPE 5420 – Link Layer Security 21 October 2016 2


Link Layer Security Background

• Background

• Attacks




Network Architecture and Topology The Network

• Collection nodes or intermediate systems (IS)

– switches, routers, bridges, etc.

• Interconnected by links that

• Provide connectivity among end systems (ES) or hosts or terminals – desktops, laptops, servers, telephone handsets, etc.

– note: in some networks nodes may be both ES and IS

21 October 2016 MST CPE 5420 – Link Layer Security 4


Network Architecture and Topology The Network

End system

Intermediate system

edge or access switch

core or backbone switch

multihomed

wireless

link



Protocol Layering OSI Model

7 application application–application

6 presentation data formatting

5 session dialogue management

4 transport end-to-end

3 network forwarding/routing

2 link hop-by-hop

MAC medium access control

1 physical transmission

• ISO 7498: open systems interconnection

– protocol: rules for communication between entities



Protocol Layering Hybrid Layer/Plane Cube

physical

MAC

link

network

transport

session

application

L1

L7

L5

L4

L3

L2

L2–

data plane control plane

p

l

a

n

e

management



Link Layer Background Services

• Draw logical connections?

7 October 2016 MST CPE 5420 – Application & Transport Layer Security 8


Link Layer Background Layering

• Link layer is hop-by-hop (HBH)

end system

link link

network

link

network

transport

end system router repeater / bridge

link

network

transport

7 October 2016 MST CPE 5420 – Application & Transport Layer Security 9


Link Layer Background Services

• Link layer is HBH analog of E2E transport layer

– transport layer (L4) transfers packets E2E

• Link layer (L2) service to network layer (L3)

– transfer frame HBH

• sender: encapsulate packet into frame and transmit

• receiver: receive frame and decapsulate into packet

– error checking / optional correction or transmission

– flow control possible but generally not needed at link layer

• via parameter negotiation (e.g. data rate)

• Link layer performs multiplexing and switching



Link Layer Background Types of Links

• What are types of transmitting bits on the link?

– hint: number of transmitters/receivers?




• Point-to-point links

– one transmitter per medium

• dedicated

• multiplexed

– example Point-to-Point protocol?






• dedicated

• multiplexed

– e.g. PPP: dialup for Internet access

• uses CHAP and PAP for authentication [RFC 1994, RFC 1334]

• Shared medium (multiple access)

– multiple transmitters per medium

– results in contention for the medium

• MAC (medium access control) needed

– example medium (which environment do you need MAC)?






• dedicated

• multiplexed

– e.g. PPP: dialup for Internet access

• uses CHAP and PAP for authentication [RFC 1994, RFC 1334]

• Shared medium (multiple access)

– multiple transmitters per medium

– results in contention for the medium

• MAC (medium access control) needed

– e.g. wireless networks



Link Layer Background MAC Protocol Taxonomy

• What are the types of MAC protocols?



Link Layer Background MAC Protocol Taxonomy

• Channel partitioning – channel divided into smaller pieces

• e.g. TDMA, FDMA, OFDMA, WDMA

• Random access – channel not divided, collisions occur

• e.g. ALOHA, slotted ALOHA, CSMA, CSMA/CD

• Coordinated access – nodes takes turns

• e.g. token ring, polling

• Spread spectrum – multiple users spread across the spectrum

• e.g. CDMA



Link Layer Background Example Link Layer Protocols

• What are some link layer protocols?



Internet Protocols Important Link and MAC Protocols

Common name Standard Scope Technology

Ethernet IEEE 802.3 LAN/MAN wire, fiber

Token ring IEEE 802.5 LAN wire

WirelessLAN WiFi

IEEE 802.11 LAN RF, (IR)

WPAN IEEE 802.15 PAN RF

WirelessMAN WiMAX

IEEE 802.16 MAN RF

SONET ANSI T1.105 ITU G.707

MAN/WAN fiber

electronic switch

OTN ITU G.709 MAN/WAN fiber

optical switch


IEEE 802 network standards are available from standards.ieee.org/getieee802/portfolio.html

ITU-T standards are available from www.itu.int/publications/sector.aspx?lang=en&sector=2


Link Layer Security Attacks

• Background

• Attacks

– ARP attacks

– Wireless attacks





• Background

• Attacks

– ARP attacks





Link Layer Security ARP

• Why and how do we use ARP?



Medium Access Control Addressing Overview

• Network address: 32 bit

– xxx.yyy.zzz.ttt

• MAC (Ethernet, physical) address: 48 bit

– AA-BB-CC-DD-EE-FF

– first 24 bits designates vendor, managed by IEEE • http://standards.ieee.org/develop/regauth/oui/public.html

– last 24 bits designates physical address

• MAC adr. gets frame from one interface to another

– physically-connected interface (same network)



Address Resolution Protocol Overview

• ARP resolves IP addresses to MAC addresses

• Analogy:

– IP address → postal address

– MAC address → social security number

• ARP table maps IP addresses to MAC addresses

• ARP specified in RFC 826

• Operation: – router broadcasts REQUEST

– nodes reply with REPLY

• Reverse ARP specified in RFC 903



Address Resolution Protocol Operation

• Node A and Node B in the same subnetwork

– AA-AA-AA-AA-AA-AA and BB-BB-BB-BB-BB-BB

• Node A broadcasts who has MAC address of B?

• Node B replies: my MAC adr. is BB-BB-BB-BB-BB-BB

• A encapsulates packet and sends the frame

• A caches IP to MAC address mapping

• What are the benefits of caching?



Address Resolution Protocol Operation

• Node A and Node B in the same subnetwork

– AA-AA-AA-AA-AA-AA and BB-BB-BB-BB-BB-BB

• Node A broadcasts who has MAC address of B?

• Node B replies: my MAC adr. is BB-BB-BB-BB-BB-BB

• A encapsulates packet and sends the frame

• A caches IP to MAC address mapping

– to reduce ARP overhead

– cache has limited size

– each ARP entry has limited lifetime

• why don’t we keep them forever?



ARP Attack ARP Poisoning (MITM Attack)

• http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part1.html



ARP Attack ARP Poisoning (MITM Attack)

• Also called ARP cache poisoning or ARP spoofing

• Malicious node poisons the switch ARP table

• Defense is

– dynamic ARP inspection

– static configuration

– S-ARP [BOR2003]

– secure ARP [GH2003]

– arpwatch from LBNL: http://ee.lbl.gov




• Background

• Attacks

– ARP attacks





Wireless Networks Geographic Scope

• Body area network – WBAN

• Personal area network – WPAN

• Local area network – WLAN

• Metropolitan area network – WMAN

• Wide area network – WWAN



Wireless Networks Protocol Examples


– e.g. ?


– e.g. ?


– e.g. ?


– e.g. ?


– e.g. ?



Wireless Networks Protocol Examples


– e.g.: wearable computing, sensor networks: IEEE 802.15.6


– e.g.: personal computing devices: IEEE 802.15


– e.g.: coverage area of home or office: IEEE 802.11


– e.g.: coverage area 10-20 km: IEEE 802.16


– e.g.: cellular telephony: CDMA, GSM



Security in Wireless Networks Attacks

• Node compromise

• Eavesdropping

• Privacy of data

• Denial of service attacks

• Malicious use of commodity networks


[CP2003]


Security in Wireless Networks Node Compromise

• Node compromise

– node physically captured by an adversary

– countermeasures:

• tamper-resistant hardware – expensive for defense

• node-to-node authentication in software

• erasable memory

• Eavesdropping

• Privacy of data





Security in Wireless Networks Eavesdropping

• Node compromise

• Eavesdropping

– passive attack – easy due to open channel


• encryption – harder for large-scale sensor networks

• multipath routing – parts of message sent on different paths

• Privacy of data





Security in Wireless Networks Privacy

• Node compromise

• Eavesdropping

• Privacy of data

– unauthorized access to information


• encryption

• access control

• reduction in data details – e.g. aggregation in sensor networks





Security in Wireless Networks Denial of Service Attacks

• Node compromise

• Eavesdropping

• Privacy of data


– aims for network resource exhaustion




DoS Attacks and Countermeasures Physical Layer

• Attacks:

– jamming

• simple

– battery exhaustion

• Countermeasures:

– spread spectrum techniques

– buffering during attack

• requires memory

– authentication

– use of alternative transmission during attack

• IR or optical


[WS2002]


DoS Attacks and Countermeasures Link Layer

• Attacks:

– collision or corrupting frames for checksum mismatch

– battery exhaustion by retransmissions

– unfairness


– error correcting codes against collisions

• expensive; requires more bandwidth

– link layer admission control and rate limiting

– use of small frames against unfairness


[WS2002]


DoS Attacks and Countermeasures Network Layer

• Attacks:

– neglecting or greedy nodes

– misdirection of packets

– black holes partitions network

• by advertising zero-cost routes


– authorization

– redundant messages

– multipath routing

– monitoring

– probing


[WS2002]


DoS Attacks and Countermeasures Transport Layer

• Attacks:

– flooding

• memory exhaustion for stateful connections

– desynchronization

• forged messaged (e.g. control flag, seq. #) for retransmission


– authentication

– limiting number of connections

– client puzzles

• computationally expensive


[WS2002]


Security in Wireless Networks Malicious Use of Commodity Networks

• Node compromise

• Eavesdropping

• Privacy of data



– use of sensor for illegal purposes

• e.g. planting them in computers to extract data

– countermeasure

• deployment of sensor networks to detect malicious activity

• this makes attack expensive, but cannot defend



Link Layer Security Wireless Security

• Background

• Attacks




Wireless Networks Geographic Scope








WBAN Security Overview


• WBANs are primarily for healthcare

• Novel applications:

– ubiquitous health monitoring (UHM)

– computer-assisted rehabilitation

– emergency medical response system (EMRS)

– promoting healthy living styles

• Privacy is the main concern

• Defense: encryption and access control to user data



WBAN Security Architecture

• 3 tier architecture [LLR2010]



WPAN Security Overview


• Short range, low power communications

– applications: portable computing devices, sensor networks

• Well-known technologies

– Bluetooth

• https://www.bluetooth.org

– ZigBee

• http://www.zigbee.org

– NFC (near field communications)

• http://www.nearfieldcommunication.org

• http://nfc-forum.org



WPAN Security Attacks and Defenses

• Highly susceptible to physical attacks

• Attacks on MAC layer involves:

– collision

– exhaustion

– unfairness

• Attacker enforces large number of tasks

– in order to deplete its battery

• IEEE 802.15.4 uses AES for encryption



WLAN Security Overview


• 802.11 ≠ Wi-Fi

– Wi-Fi is interoperability certification

• Modes:

– infrastructure: STAtions communicate through APs

• AP: access point

– ad hoc mode: STAtions communicate directly



WLAN Security 802.11 Standards

• Latest standard is 802.11-2012 (linked on webpage)

– originally published in 1999

• 802.11a 5.8 GHz, 54 Mb/s

• 802.11b 2.4 GHz, 11 Mb/s

• 802.11g 2.4 GHz, 54 Mb/s

• 802.11e defines QoS

• 802.11i security enhancements

• 802.11n 20 MHz, 72 Mb/s, uses MIMO



WLAN Security Architecture

• Basic service set (BSS): single AP

• Distribution system (DS): connects multiple BSS

• Extended service set (ESS): union of multiple BSS


[802.11-2012]


WLAN Security Overview

• WEP – Wired Equivalent Privacy

– dealt with privacy aspects

– broken and deprecated, pre-RSN protocol

• 40-bit key

• WPA – Wi-Fi Protected Access

– developed by Wi-Fi alliance as a replacement to WEP

• RSN – Robust Security Network

– WPA-2 is the latest version



WLAN Security RSN Services and Protocols

• RSN employs various services and protocols



WLAN Security RSN Cryptographic Algorithms

• RSN employs various cryptographic algorithms



WLAN Security Phases of Operation



WLAN Security Phases of Operation

• Discovery

– STA associates with an AP, agrees upon protocols

• Authentication

– STA & AS (authentication server), proving identities

• Key management and distribution

– keys exchanged between STA and AP

• Protected data transfer between end points

– this is not E2E secure connection

• Connection termination

– secure connection is torn down



WLAN Security Authentication Protocol

• Uses SAE – Simultaneous Authentication of Equals

• Password-based key exchange

– two entities that share a password

– wish to authenticate each other

– derive a strong, secret, and shared key

• Particularly for mesh networks

– 802.11s

• It is a peer-to-peer protocol, has no asymmetry



WLAN Security Confidentiality and Integrity Protocols

• TKIP – Temporal Key Integrity Protocol

– interim solution to replace WEP without replacing hardware

– deprecated

• CCMP – CTR with CBC-MAC Protocol

– based on AES: 128-bit key and 128-bit block size

• BIP – Broadcast/Multicast Integrity Protocol

– based on AES: 128-bit key and 128-bit block size



WMAN Security Overview


• Well-known technology is IEEE 802.16

• 802.16 ≠ WiMAX

– WiMAX provides compatibility and interoperability

• Primarily for last mile access

• Uses AES or DES

• Provides authentication, key exchange, encryption



WWAN Security Overview


• Mobile cellular telephony

– CDMA

• inherently hard to eavesdrop due to self noise

– GSM

• GSM phones has the SIM card

• Privacy is main threat for cellular networks

• Complex network administration



References and Further Reading

• [KPS2002] Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall, 2002.

• [S2017] William Stallings, Cryptography and Network Security: Principles and Practice, 7th edition, Prentice Hall, 2017.

• [KR2017] James F. Kurose and Keith W. Ross, Computer Networking: A Top-Down Approach, 7th edition, Pearson, 2017.

• Some slides are adopted from “KU EECS 882 – Mobile Wireless Networking” class taught by Prof. James P.G. Sterbenz

• [DKB2005], [SMM+2006], [KW2003],

• [IEEE 802.11-2012]

• [BOR2003], [GH2003],

• [IEEE/ISO/IEC 8802-1X-2013],

• [CHAP: RFC 1994], [RADIUS: RFC 2865], [EAP: RFC 3748] MST CPE 5420 – Link Layer Security 21 October 2016 60



• [BOR2003] Danilo Bruschi, Alberto Ornaghi, and Emilia Rosti, “S-ARP: a Secure Address Resolution Protocol,” in Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, December 2003, pp. 66 – 74.

• [GH2003] Mohamed G. Gouda and Chin-Tser Huang, “A secure address resolution protocol,” Computer Networks, Volume 41, Issue 1, pp. 57 – 71, January 2003.

• [CP2003] Haowen Chan and Adrian Perrig, “Security and Privacy in Sensor Networks,” IEEE Computer, October 2003, pp. 103 – 105.

• [WS2002] Anthony D. Wood and John A. Stankovic, “Denial of Service in Sensor Networks,” IEEE Computer, October 2002, pp. 54 – 62.

• [PSW2004] Adrian Perrig, John A. Stankovic, David Wagner, “Security in Wireless Sensor Networks,” Communications of the ACM, June 2004, pp. 53 – 57.




• [LLR2010] Ming Li, Wenjing Lou, and Kui Ren, “Data Security and Privacy in Wireless Body Area Networks,” IEEE Wireless Communications, Volume 17, Issue 1, pp. 51 – 58, February 2010.

• https://tools.ietf.org/html/draft-daniel-6lowpan-security-analysis-05

• https://www.nsa.gov/ia/_files/factsheets/i732-016r-07.pdf

• [JW2004] David Johnston and Jesse Walker, “Overview of IEEE 802.16 Security,” IEEE Security & Privacy, Volume 2, Issue 3, pp. 40 – 48, 2004.



End of Foils


Date post:	28-Apr-2018
Category:	Documents
Upload:	lamdat
View:	214 times
Download:	2 times

Introduction to Network Security - Missouri...

Documents