Wireless Security and Attack trees in Wireless Networks by qtp78691


									                         Wireless Security and Attack Trees For Wireless Networks

                      Wireless Security and Attack Trees For Wireless Networks:
                      By Ramakrishnan Subramanian,Scuola Sant’Anna,Pisa,Italy

                                              A Brief Abstract
    The paper’s main focus is to identify weaknesses in present wireless networks and to formulate
    attack trees to represent them. The paper hopes to advocate a systematic approach to ensure wireless
    security. The paper is nothing more than a tutorial to stimulate such an approach.

    Table Of Contents
    2.Attack Tree Basics
    3.Typical Security Flaws in Wireless Networks
    4.High Level Wireless Attack tree

    In the wireless networks use scenario, there are enough security issues and breaches. Our aim is to
    model attack trees for possible wireless threats and think possible solutions [1]. The paper is aimed at
    giving students and designers a blue print to think and plan wireless system security before having an
    implementation. It is better to start with all the issues clearly defined and then work on security as in
    networks re-modellings are never easy. The paper deals with many issues from the basics to make it
    possible for a wider section of fellow students to read. My intended audiences are fellow students
    and juniors.

    2.Attack Tree Basics:

    2.1Attack Trees:
    We focus on attack tree semantics and format. Attack trees have recently been systematically applied
    to detect security flaws (Schneier00). An attack tree has a root node and sub nodes. The
    network/enterprise security is the root of the tree. The possibilities of an attacker breaking in
    iteratively and incrementally are represented as lower level nodes of the tree. Each attack tree shows
    the way in which an attacker can gain access to root. There can be multiple paths.

    Structure and Semantics:
    A node has either
           A set of attack sub goals which all must be achieved in order for the attack to succeed
    represented as an AND decomposition.
           A set of attack subgoals,any one of which needs to be achieved for the attack to succeed
    represented as an OR decomposition.

    We can have a graphical as well as textual representation. Throughout the paper I will follow the
    textual one. Readers interested in graphical format can refer [1].

    2.2Attack Patterns:
    An attack Pattern is a generic representation of an attack and it contains
               The overall goal of attack
               The list of preconditions
               The steps for carrying out the attack
               The list of post conditions that becomes true when attack succeeds.

                     Wireless Security and Attack Trees For Wireless Networks

I will give the example of war driving. War Driving is driving around areas with some tools for
sniffing wireless airwaves and looking for open or unprotected networks. This can be represented as
War Driving to discover networks
 Goal :Identify unprotected networks.
Precondition: Tool like Airsnort ,Netstumbler and open networks present
OR1.Find network address of vulnerable networks and AP information
     2.Find out about encryption schema, authentication mechanism
AND 1.Take even protected data and messages
2.Do cryptanalysis to find network secrets.
PostCondition:Attacker has information compromising network security.

This is a very elementary example but I hope it proves the point.

One can combine all this to form an attack profile. An attack profile takes a set of attack patterns to
identify common patterns. These common patterns can be used to analyze and formulate security

3.Typical Security Flaws in Wireless Network:

3.1Easy Access
1) Setting Ad-hoc wireless networks:
One can set adhoc wireless networks on the fly without any access points and security mechanisms.
This is most dangerous and most open to attacks, since it has no security considerations.

2) WLAN parameters for Authentication:
The service set ID (SSID). It is in fact the network id and even though only users and system
administrator know it it can be easily found in Sniffing.
SSID is an identification value programmed in the access point or group of access points to identify
the subnet. This segmentation of the wireless network in multiple networks is a form of an
authentication check. If a wireless station does not know the value, it can’t connect to that AP. When
a client computer is connected to the access point, the SSID acts as a simple password thus providing
a measure of security.
SSID security alone is very weak because the value is known by all network cards and access points,
and is easily accessibly through air and radio waves, since no encryption is provided. The access
point is configured to broadcast its SSID. When enabled, any client without SSID is able to receive it
and have access to the access point. Users are also able to configure their own client systems with the
appropriate SSID, because they are widely known and easily shared. Also since AP is not
authenticated a rogue AP can play a Man in the middle attack.
3.2WEP Algorithm:
Other important mechanism is using WEP (Wired Equivalent Privacy). This provides link integrity
in a wireless link as in wired. The following is network functioning with encryption support.
WEP Algorithm
WEP security protocol is intended to protect against eavesdropping and physical security attributes,
which is equivalent to security of a wired network. WEP is the encryption standard specified by
IEEE802.11 architecture. WEP encrypts a data frame and its content to protect authorized users on a
WLAN. WEP uses a 40-bit secret key for authentication and encryption, and other IEEE 802.11
allows 104-bit secret key encryption. The encryption key is concatenated with a 24-bit "initialization
vector," resulting in a 64- or 128- bit key.

                          Wireless Security and Attack Trees For Wireless Networks

     When encryption is enabled, the access point issues an encrypted challenge packet to any client
    attempting to connect to the access point. Then the client uses it’s key to encrypt the correct response
    in order to authenticate it-self and gain network access. [3],[5]. The client computer and the access
    point use the same key to encrypt and decrypt data. All WEP key on a wireless LAN must be
    managed manually, because there are no key management protocols specified for distribution. WEP
    security protocols can only be implemented on a client/server wireless LAN with an access point, it
    cannot be utilize on a Peer-to-Peer.
    WEP encryption has weaknesses, which are vulnerable to attacks. WEP keys are static for encryption
    and authentication, making WEP susceptible to password replay attacks, traffic injection, and
    statistical attacks. Hackers would exploit the weakness by intercepting traffic, flipping bits and
    injecting modified packets into the network. Researchers Borisov, Nikita, Goldberg, Ian, Wagner,
    David at University of California Berkeley discovered security flaws in WEP and their paper [3]
    deals in detail all possible security flaws. It is a must read to understand WEP flaws. It is possible for
    an attacker to change the destination in a packet to his own [4]. Thus the message intended for other
    ends up with him and this leads to the attacker learning more about the network. The algorithm RC4
    and IV are linear and thus one can change bits to crack the code faster with trial and error. Also IV’s
    are repeated many times, especially due to power On .The Berkeley researchers have proved that this
    ensures faster cracking of the code by helping in replay attacks.
    3.3Poor Key Management:
    There is no proper key management protocol. There are following issues [4]
                How is key formed-Here poor key formation is a cause of concern?
                Key Distribution
    3.4Other Issues
            For e.g: If an employee leaves a company and has a card he can come and capture data from
    a nearby location. One way to prevent it is to use MAC address filter with ACL (Access Control
    Locations) defined.

    War Driving:
    This is an elementary but an important issue. Drive around with a Wireless receiver and use a device
    like netstumbler or there are many others, Airsnort is considered very good. Netstumbler will give
    you information about wireless networks which have a default installation, SSID, Whether
    encryption ON, BSSID.Well even a basic hacker can eavesdrop and get a lot of information. Airsnort
    goes a step ahead and makes it possible to decrypt keys after collecting a large amount of data.

    4.Summary of Wireless Weaknesses in the form of a High-level wireless attack tree:
    Root: System/Enterprise Security.

    OR 1.Data snooping
       OR1.1Read Message/Plain text
    1.2Get the plain text/Encryption key from message
    1.3War Driving

    OR2.1 Obtain Connection
       2.2Open system authentication (faking SSID)

    3.Network Access
    OR3.1Knowledge of MAC Address filter
       3.2 Ability to change MAC Address with software
       3.3 All layer 3 Knowledge like Gateway, Subnets, and Firewall.

                         Wireless Security and Attack Trees For Wireless Networks

     4.Inside the network
     AND4.1Port, Services, OS scan
         4.2 Password crack and session establishment.

     5.Denial Of Service Attacks
     OR 5.1 Jamming

     The above is an open ended tree and by no means complete. There will be certainly other paths for

     a. Mutual Authentication (to prevent Man in the middle Attack). A shared key authentication is
     recommended in comparison with open system authentication.
     b. Using a RADIUS Server. After authentication at AP, the user needs to logon to network at
     RADIUS Server.
     c. Decouple Authentication from Encryption. Have a random challenge packet (That is after
     authentication change the session key and transmit it back to user). Use a one-way hash function to
     relay the challenge and response.
     d. Use of VPN to provide access within the network is preferable, as it will ensure user
     authentication again. Present VPN can create problems when user roams from one AP to another but
     there are solutions too in the market like vicatores etc.
     e. Don’t broadcast SSID from an AP unless encryption is present.
     f. Multiple Layers of security.

     The challenges are many to confront these problems. Today we just face the scenario of breaking
     into wireless networks. Soon it will be viruses and Trojan horses. Again Organizations linked to
     wireless compromise their wired network security. Soon Voice over IP services will be run on
     wireless networks. How much security overhead can be permitted in such similar real time
     applications. The paper raises many such questions rather than answers. I hope the solutions will
     come from many researchers.

1)            Attack Modelling for Information Security and Survivability by Andrew P.Moore, Robert J
     Ellison, and Richard C. Linger.
2)            Dell Corporation. "802.11 Wireless Security in Business Networks." September 2001.
3)            Borisov, Nikita, Goldberg, Ian, Wagner, David; "Intercepting Mobile Communications: The
     Insecurity of 802.11." August 2001
4)            Arbaugh, William; Narendar Shankar and Y. C. Justin Wan. "Your 802.11 Network has no
     Clothes." 30 Mar 2001
5)            Fluhrer, Scott; Mantin, Itsik; and Shamir, Adi. 2001. "Weaknesses in the Key Scheduling
     Algorithm of RC4
6)            University of California, Berkeley. Computer Science Division. "Security of the WEP
7)            IEEE 802.11 Working Group Recommendations, Standards
8)            Stubblefield. Adam & Ioannidis, John & Rubin, Aviel D. "Using the Fluhrer, Mantin, and
     Shamir Attack to Break WEP


To top