Lecture 10 Mobile Security and M-commerce第 10 讲 移动安全与移动商务

§10.1 Basics of Security

§10.2 Security in Cellular Networks

§10.3 Security in WLAN

§10.4 Security in Ad hoc Networks

§10.5 Mobile Commerce

CIA – Requirements

Confidentiality

AvailabilityIntegrity

Secure

AAA -- Measurements

Authentication

AccountingAuthority

Secure

Encryption

Symmetric-key cryptographyBlock: AES, DES

Stream: RC4

Hash: SHA, MD5

Public-key cryptographyRSA, DH, etc.

PKI

Infrastructure on Internet digital certificates + public-key cryptography + certificate authorities

Network Security

15-441 Networks Fall 2002

7

Common Attacks and Countermeasures

Finding a way into the networkFirewalls

Exploiting software bugs, buffer overflowsIntrusion Detection Systems

Denial of ServiceIngress filtering, IDS

TCP hijackingIPSec

Packet sniffingEncryption (SSH, SSL, HTTPS)

§10.2 Security in Cellular Networks

GSM providesSubscriber identity confidentiality:

Protection against identifying which subscriber is using a given resource by listening to the signaling exchanges

Confidentiality for signaling and user data

Protection against the tracing of a user's location

Subscriber identity authentication:Protection of the network against unauthorized use

Signaling information element confidentiality:Non-disclosure of signaling data on the radio link

User data confidentiality:Non-disclosure of user data on the radio link

Authentication in GSM

Authentication in GSM

Authentication in GSM -- Summary

‰Only the mobile authenticates itself to the network Authentication is based on challenge-response: Challenge-response vectors are transmitted unprotected in

the signaling network ‰The permanent identification of the mobile (IMSI) is

just sent over the radio link when this is unavoidable:This allows for partial location privacy

As the IMSI is sometimes sent in clear, it is nevertheless possible to learn about the location of some entities

An attacker may impersonate a base station and explicitly demand mobiles to send their IMSIs!

‰ Basically, there is trust between all operators!

General Packet Radio Service (GPRS)

Data transmission in GSM based on packet switching Using free slots of the radio channels only if data ready

GPRS Protocol Architecture

GPRS Security

Security objectives:Guard against unauthorised GPRS service usage (authentication)Provide user identity confidentiality (temporary identification and ciphering)Provide user data confidentiality (ciphering)

Realization of security services:�Authentication is basically identical to GSM authentication:

SGSN is the peer entityTwo separate temporary identities are used for GSM/GPRSAfter successful authentication, ciphering is turned on

User identity confidentiality is similar to GSM:�Most of the time, only the Packet TMSI (P-TMSI) is send over the airOptionally, P-TMSI “signatures” may be used between MS and SGSN to speed up re-authentication

User Data Confidentiality is realized between MS and SGSN:Difference to GSM which just ciphered between MS and BTSCiphering is realized in the LLC protocol layer

3G Security

UMTS Security Architecture

(I) Network access security: protect against attacks on the radio interface

(II) Network domain security: protect against attacks on the wireline network

(III) User domain security: secure access to mobile stations

(IV) Application domain security: secure message exchange for applications

(V) Visibility and configurability of security: inform user of secure operation

Homestratum/ServingStratum

USIM HE

Transportstratum

ME

SN

AN

Applicationstratum

User Application Provider Application(IV)

(III)

(II)

(I)

(I)

(I)

(I)

(I)

UMTS Network Access Security Services

User identity confidentiality :User identity (IMSI) confidentiality

User location confidentiality

User untraceability Entity authentication:

User authentication

Network authentication

UMTS Network Access Security Services

Confidentiality:Cipher algorithm agreement

Cipher key agreement

Confidentiality of user data

Confidentiality of signaling data ‰ Data Integrity:

Integrity algorithm agreement

Integrity key agreement

Data integrity and origin authentication of signaling data

UMTS Authentication Mechanism

Generation of UMTS Authentication Vectors

Generation of UMTS Authentication Vectors

The HE/AuC starts with generating a fresh sequence number SQN and an unpredictable challenge RAND

For each user the HE/AuC keeps track of a counter SQNHE

An authentication and key management field AMF is included in the authentication token of each authentication vector

Subsequently the following values are computed:a message authentication code MAC = f1K(SQN || RAND || AMF) where f1 is a message authentication functionan expected response XRES = f2K(RAND) where f2 is a (possibly truncated) message authentication functiona cipher key CK = f3K(RAND) where f3 is a key generating function an integrity key IK = f4K(RAND) where f4 is a key generating function;an anonymity key AK = f5K(RAND) where f5 is a key generating function

Finally the authentication token AUTN = SQN AK || AMF || ⊕�MAC is constructed.

UMTS User Auth. Function in USIM

UMTS User Auth. Function in USIM

Upon receipt of RAND and AUTN the USIM:computes the anonymity key AK = f5K (RAND)retrieves the sequence number SQN = (SQN AK) AK⊕ ⊕computes XMAC = f1K (SQN || RAND || AMF) andcompares this with MAC which is included in AUTN.

If they are different�The user sends user authentication reject to the VLR/SGSN

If the MAC is correct�The USIM verifies that the received sequence number SQN is in the correct range:

If SQN is not in the correct range, the USIM sends synchronisation failure back to the VLR/SGSNIf SQN is in the correct range, the USIM computes:

the authentication response RES = f2K(RAND)

the cipher key CK = f3K(RAND) and the integrity key IK = f4K(RAND).

Network Access Security in UMTS -- Summary

Similar to GSM security:The home AUC generates challenge-response vectors

‰The challenge-response vectors are transmitted unprotected via the signaling network to a visited network that needs to check the authenticity of a mobile

IMSI is still revealed to the visited network

Still assumes trust between all network operators Unlike in GSM

The network also authenticates itself to the mobile‰ ‰

§10.3 Security in WLAN

Most common variant is IEEE 802.11n, with data rate up to 150Mbps

Alternative version 802.11a/b/g 802.11 security

Shared media – like a network hubRequires data privacy - encryption

Authentication necessaryCan access network without physical presence in building

Once you connect, you are an “insider” on the network

802.11 Security Approaches

Closed networkSSID can be captured with passive monitoring

MAC filteringMACs can be sniffed/spoofed

WEPCan be cracked online/offline given enough traffic & time

WPA and/or EAPMore secure

Wired Equivalent Privacy (WEP)

Part of 802.11 specification To achieve equivalent security as wired link Uses RC4 for encryption Shared key – 40 /104 bits A 24-bit initialization vector (IV)

WEP Authentication

Open system authentication Essentially it is a null authentication algorithm Simple handshake – just two messages with no

security benefit Usually enhanced with Web-based authentication

E.g. SYSUWLAN

Shared Key Authentication

Mobile node sends request to AP AP sends a 128-byte challenge text Mobile node encrypts the challenge text

using the shared secret key and an IV,

Mobile node sends the secret text to AP. AP decrypts the text and

compare with the original challenge text – a match proves that mobile node knows the secret key.

AP returns a success/failure indication to mobile node and completes the authentication process

WEP Data Encryption

To protect users from “casual eavesdropping” Depends on an external key management service to

distribute data enciphering/deciphering keys. A block of plaintext is bitwise XORed with a

pseudorandom key sequence of equal length. The key sequence is generated by the WEP

algorithm.

WEP Data Encryption

PRNG: pseudorandom number generator

WEP Frame Body Expansion

Problems with WEP

Key Generation ICV Generation Weak Key’s and Weak IV’s WEP Attacks

Key Generation Problems

The main problem of WEP is Key Generation. Secret Key is too small, only 40 Bits.

Very susceptible to brute force attacks. IV is too small.

Only 16 Million different possibilities for every packet. Secret Keys are accessible to user, therefore not secret. Key distribution is done manually.

ICV Generation Problems

The ICV is generated from a cyclic redundancy check (CRC-32)

Only a simple arithmetic computation. Can be done easily by anyone.

Not cryptographically secure. Easy for attacker to change packet and then change

ICV to get response from AP.

Weak Key’s and IV’s

Certain keys are more susceptible to showing the relationship between plaintext and ciphertext.

There are approx 9000 weak keys out of the 40 bit WEP secret key.

Weak IV will correspond to weak keys.

Attacks

ReplayStatistical gathering of certain ciphertext that once sent to server will cause wanted reaction.

802.11 LLC EncapsulationPredictable headers to find ciphertext, plaintext combinations

Denial of Service AttacksFlooding the 2.4Ghz frequency with noise.

WPA/WPA2

Wi-Fi Protected AccessAlso referred to as the IEEE 802.11i

WPA available around 1999 WPA2 became available around 2004 Enhanced security to replace WEP

Improved data encryptionUser authentication

WPA/WPA2

Authentication 802.1x & EAP allows auth. via RADIUS also allows auth via PSK (pre-shared key)

Encryption:WPA: TKIPWPA2: CCMP

WEP vs. WPA vs. WPA2

WEP WPA WPA2

Encryption RC4 RC4 AES

Key rotation

None Dynamic session keys Dynamic session keys

Key distribution

Manually typed into each device

Automatic distribution available

Automatic distribution available

Authent. Uses WEP key as AuthC

Can use 802.1x & EAP Can use 802.1x & EAP

WPA Modes

WPA-Enterprisew/RADIUS for authC

WPA-PSKFor home or SOHO“Pre-Shared Keys (PSK)” modeUser enters master key on each computerMaster key kicks off TKIP & key rotation

Mixed-modeOperates in WEP-only if any non-WPA clients

WPA Authentication

IEEE 802.1xAuthentication mechanism to devices of LAN or WLAN

with encapsulation of the Extensible Authentication Protocol (EAP)

802.1x Authentication

§10.4 Security in Ad hoc Networks

Security “on the air” Secure routing PKI in Ad hoc

45

“Over the Air”

Threats due to wireless communication Attacks

Eavesdropping, jamming, spoofing, “message attacks” Sleep deprivation torture

Counter measuresFirst attacks are not specific to ad hoc networks, well researched in military context:frequency hopping, spread spectrum

46

Secure Routing

Great number of attacks possible byNot participating at all to save battery or partition the network

Spamming the network with RREQ

Changing routing information in RREP messages

Constantly or never replying with RERR

…

47

Securing Routing

IdeaPunish non collaborative/malicious nodes by non-forwarding their traffic

How to achieve?Detection through “neighborhood watch”

Building a distributed system of reputation

Enable “re-socialization” through timeouts in the black list.

Securing Routing Information

IdeaShare the routing information through a secure channel

How to achieve?Requires key management and security mechanisms

PKI in Ad hoc

Threshold Cryptography Self-organized PKI

50

Threshold Cryptography

Emulate the central authentication authority by distributing it on several nodes acting as servers

Private Key is divided into n shares s1, s2, ... sn

51

Threshold Cryptography

(n, t+1) threshold cryptography configuration

n servers, if t are compromised,it is still possible to perform the service

E.g. (3, 2) threshold cryptography scheme

52

Threshold Cryptography Threshold cryptography seems to be a very robust solution However it needs some nodes to assume special behaviour For instance it is appropriate for military applications Inadequate for civilian networks

Users behave in a completely selfish way

53

Self-organized PKI Certificate issued by users

Bind public key to an identity Each user maintains a local certificate repository

Certificates issued by itselfOther certificates selected using some algorithms (Shortcut Hunter)Size of certificate repository is small compared to the total number of users in the system

54

Self-organized PKI How it works

u wants to verify the public key of v

u and v merge their local certificate repositories (subgraphs)

u tries to find a certificate chain (path) from u to v in the merged repository

subgraph of u

subgraph of vpath from u to v

v u

55

Self-organized PKI

Only probabilistic guarantee to find an appropriate certificate

Security self-organized as the WWW?How can these mechanisms be put in place preventing their misuse?

§10.6 Mobile Commerce

M-commerce, M-business Any e-commerce done in a wireless environment,

especially via the Internet Creates opportunity to deliver new services to existing

customers and to attract new ones

Attributes and Economic Advantages

Mobility—users carry cell phones or other mobile devices Broad reach—people can be reached at any time Ubiquity—easier information access in real-time Convenience—devices that store data and have Internet,

intranet, extranet connections Instant connectivity—easy and quick connection to Internet,

intranets, other mobile devices, databases Personalization—preparation of information for individual

consumers Localization of products and services—knowing where the

user is located at any given time and match service to them

Mobile Service Scenarios

Financial Services.

Entertainment.

Shopping.

Information Services.

Payment.

Advertising. And more ...

Architecture of M-commerce

Mobile Payment

Can be a stand-alone serviceCan also be an important enabling service for other m-

commerce servicesCould improve user acceptance by making the services

more secure and user-friendly.

Mobile Payment

Customer requirements: a larger selection of merchants with whom they can

trade a more consistent payment interface when making

the purchase with multiple payment schemes, like:• Credit Card payment• Bank Account/Debit Card Payment

Merchant benefits:brands to offer a wider variety of paymentEasy-to-use payment interface development

Bank and financial institution benefitsto offer a consistent payment interface to consumer and merchants

Payment via Internet Payment Provider

WAP GW/Proxy

SSL tunnel

MeP

GSM Security

SMS-C

User

Browsing (negotiation)

Merchant

Mobile Wallet

CC/Bank

IPP

Payment via Integrated Payment Server

WAP GW/Proxy

ISO8583 Based

CP

Mobile CommerceServer

GSM Security

SMS-C

User

Browsing (negotiation)

CC/Bank

Merchant

Mobile Wallet

Voice PrePaid

VPP IF

SSL tunnel

Limiting Technological Factors

Mobile Devices•Battery•Memory•CPU•Display Size

Networks•Bandwidth•Interoperability•Cell Range•Roaming

Localisation•Upgrade of Network•Upgrade of Mobile Devices•Precision

Mobile Middleware•Standards•Distribution

Security•Mobile Device•Network•Gateway

Security of M-commerce

A Summary

Security in Cellular NetworksGSM and UTMS

Access network security Security in WLAN

WEP

WPA/WPA2 Security in Ad hoc Networks

PKI M-commerce