Lecture 10 Mobile Security and M-commerce 第 10 第 第第第第第第第第第 §10.1 Basics of Security §10.2 Security in Cellular Networks §10.3 Security in WLAN §10.4 Security in Ad hoc Networks §10.5 Mobile Commerce
Jan 20, 2016
Lecture 10 Mobile Security and M-commerce第 10 讲 移动安全与移动商务
§10.1 Basics of Security
§10.2 Security in Cellular Networks
§10.3 Security in WLAN
§10.4 Security in Ad hoc Networks
§10.5 Mobile Commerce
CIA – Requirements
Confidentiality
AvailabilityIntegrity
Secure
AAA -- Measurements
Authentication
AccountingAuthority
Secure
Encryption
Symmetric-key cryptographyBlock: AES, DES
Stream: RC4
Hash: SHA, MD5
Public-key cryptographyRSA, DH, etc.
PKI
Infrastructure on Internet digital certificates + public-key cryptography + certificate authorities
Network Security
15-441 Networks Fall 2002
7
Common Attacks and Countermeasures
Finding a way into the networkFirewalls
Exploiting software bugs, buffer overflowsIntrusion Detection Systems
Denial of ServiceIngress filtering, IDS
TCP hijackingIPSec
Packet sniffingEncryption (SSH, SSL, HTTPS)
§10.2 Security in Cellular Networks
GSM providesSubscriber identity confidentiality:
Protection against identifying which subscriber is using a given resource by listening to the signaling exchanges
Confidentiality for signaling and user data
Protection against the tracing of a user's location
Subscriber identity authentication:Protection of the network against unauthorized use
Signaling information element confidentiality:Non-disclosure of signaling data on the radio link
User data confidentiality:Non-disclosure of user data on the radio link
Authentication in GSM
Authentication in GSM
Authentication in GSM -- Summary
‰Only the mobile authenticates itself to the network Authentication is based on challenge-response: Challenge-response vectors are transmitted unprotected in
the signaling network ‰The permanent identification of the mobile (IMSI) is
just sent over the radio link when this is unavoidable:This allows for partial location privacy
As the IMSI is sometimes sent in clear, it is nevertheless possible to learn about the location of some entities
An attacker may impersonate a base station and explicitly demand mobiles to send their IMSIs!
‰ Basically, there is trust between all operators!
General Packet Radio Service (GPRS)
Data transmission in GSM based on packet switching Using free slots of the radio channels only if data ready
GPRS Protocol Architecture
GPRS Security
Security objectives:Guard against unauthorised GPRS service usage (authentication)Provide user identity confidentiality (temporary identification and ciphering)Provide user data confidentiality (ciphering)
Realization of security services:�Authentication is basically identical to GSM authentication:
SGSN is the peer entityTwo separate temporary identities are used for GSM/GPRSAfter successful authentication, ciphering is turned on
User identity confidentiality is similar to GSM:�Most of the time, only the Packet TMSI (P-TMSI) is send over the airOptionally, P-TMSI “signatures” may be used between MS and SGSN to speed up re-authentication
User Data Confidentiality is realized between MS and SGSN:Difference to GSM which just ciphered between MS and BTSCiphering is realized in the LLC protocol layer
3G Security
UMTS Security Architecture
(I) Network access security: protect against attacks on the radio interface
(II) Network domain security: protect against attacks on the wireline network
(III) User domain security: secure access to mobile stations
(IV) Application domain security: secure message exchange for applications
(V) Visibility and configurability of security: inform user of secure operation
Homestratum/ServingStratum
USIM HE
Transportstratum
ME
SN
AN
Applicationstratum
User Application Provider Application(IV)
(III)
(II)
(I)
(I)
(I)
(I)
(I)
UMTS Network Access Security Services
User identity confidentiality :User identity (IMSI) confidentiality
User location confidentiality
User untraceability Entity authentication:
User authentication
Network authentication
UMTS Network Access Security Services
Confidentiality:Cipher algorithm agreement
Cipher key agreement
Confidentiality of user data
Confidentiality of signaling data ‰ Data Integrity:
Integrity algorithm agreement
Integrity key agreement
Data integrity and origin authentication of signaling data
UMTS Authentication Mechanism
Generation of UMTS Authentication Vectors
Generation of UMTS Authentication Vectors
The HE/AuC starts with generating a fresh sequence number SQN and an unpredictable challenge RAND
For each user the HE/AuC keeps track of a counter SQNHE
An authentication and key management field AMF is included in the authentication token of each authentication vector
Subsequently the following values are computed:a message authentication code MAC = f1K(SQN || RAND || AMF) where f1 is a message authentication functionan expected response XRES = f2K(RAND) where f2 is a (possibly truncated) message authentication functiona cipher key CK = f3K(RAND) where f3 is a key generating function an integrity key IK = f4K(RAND) where f4 is a key generating function;an anonymity key AK = f5K(RAND) where f5 is a key generating function
Finally the authentication token AUTN = SQN AK || AMF || ⊕�MAC is constructed.
UMTS User Auth. Function in USIM
UMTS User Auth. Function in USIM
Upon receipt of RAND and AUTN the USIM:computes the anonymity key AK = f5K (RAND)retrieves the sequence number SQN = (SQN AK) AK⊕ ⊕computes XMAC = f1K (SQN || RAND || AMF) andcompares this with MAC which is included in AUTN.
If they are different�The user sends user authentication reject to the VLR/SGSN
If the MAC is correct�The USIM verifies that the received sequence number SQN is in the correct range:
If SQN is not in the correct range, the USIM sends synchronisation failure back to the VLR/SGSNIf SQN is in the correct range, the USIM computes:
the authentication response RES = f2K(RAND)
the cipher key CK = f3K(RAND) and the integrity key IK = f4K(RAND).
Network Access Security in UMTS -- Summary
Similar to GSM security:The home AUC generates challenge-response vectors
‰The challenge-response vectors are transmitted unprotected via the signaling network to a visited network that needs to check the authenticity of a mobile
IMSI is still revealed to the visited network
Still assumes trust between all network operators Unlike in GSM
The network also authenticates itself to the mobile‰ ‰
§10.3 Security in WLAN
Most common variant is IEEE 802.11n, with data rate up to 150Mbps
Alternative version 802.11a/b/g 802.11 security
Shared media – like a network hubRequires data privacy - encryption
Authentication necessaryCan access network without physical presence in building
Once you connect, you are an “insider” on the network
802.11 Security Approaches
Closed networkSSID can be captured with passive monitoring
MAC filteringMACs can be sniffed/spoofed
WEPCan be cracked online/offline given enough traffic & time
WPA and/or EAPMore secure
Wired Equivalent Privacy (WEP)
Part of 802.11 specification To achieve equivalent security as wired link Uses RC4 for encryption Shared key – 40 /104 bits A 24-bit initialization vector (IV)
WEP Authentication
Open system authentication Essentially it is a null authentication algorithm Simple handshake – just two messages with no
security benefit Usually enhanced with Web-based authentication
E.g. SYSUWLAN
Shared Key Authentication
Mobile node sends request to AP AP sends a 128-byte challenge text Mobile node encrypts the challenge text
using the shared secret key and an IV,
Mobile node sends the secret text to AP. AP decrypts the text and
compare with the original challenge text – a match proves that mobile node knows the secret key.
AP returns a success/failure indication to mobile node and completes the authentication process
WEP Data Encryption
To protect users from “casual eavesdropping” Depends on an external key management service to
distribute data enciphering/deciphering keys. A block of plaintext is bitwise XORed with a
pseudorandom key sequence of equal length. The key sequence is generated by the WEP
algorithm.
WEP Data Encryption
PRNG: pseudorandom number generator
WEP Frame Body Expansion
Problems with WEP
Key Generation ICV Generation Weak Key’s and Weak IV’s WEP Attacks
Key Generation Problems
The main problem of WEP is Key Generation. Secret Key is too small, only 40 Bits.
Very susceptible to brute force attacks. IV is too small.
Only 16 Million different possibilities for every packet. Secret Keys are accessible to user, therefore not secret. Key distribution is done manually.
ICV Generation Problems
The ICV is generated from a cyclic redundancy check (CRC-32)
Only a simple arithmetic computation. Can be done easily by anyone.
Not cryptographically secure. Easy for attacker to change packet and then change
ICV to get response from AP.
Weak Key’s and IV’s
Certain keys are more susceptible to showing the relationship between plaintext and ciphertext.
There are approx 9000 weak keys out of the 40 bit WEP secret key.
Weak IV will correspond to weak keys.
Attacks
ReplayStatistical gathering of certain ciphertext that once sent to server will cause wanted reaction.
802.11 LLC EncapsulationPredictable headers to find ciphertext, plaintext combinations
Denial of Service AttacksFlooding the 2.4Ghz frequency with noise.
WPA/WPA2
Wi-Fi Protected AccessAlso referred to as the IEEE 802.11i
WPA available around 1999 WPA2 became available around 2004 Enhanced security to replace WEP
Improved data encryptionUser authentication
WPA/WPA2
Authentication 802.1x & EAP allows auth. via RADIUS also allows auth via PSK (pre-shared key)
Encryption:WPA: TKIPWPA2: CCMP
WEP vs. WPA vs. WPA2
WEP WPA WPA2
Encryption RC4 RC4 AES
Key rotation
None Dynamic session keys Dynamic session keys
Key distribution
Manually typed into each device
Automatic distribution available
Automatic distribution available
Authent. Uses WEP key as AuthC
Can use 802.1x & EAP Can use 802.1x & EAP
WPA Modes
WPA-Enterprisew/RADIUS for authC
WPA-PSKFor home or SOHO“Pre-Shared Keys (PSK)” modeUser enters master key on each computerMaster key kicks off TKIP & key rotation
Mixed-modeOperates in WEP-only if any non-WPA clients
WPA Authentication
IEEE 802.1xAuthentication mechanism to devices of LAN or WLAN
with encapsulation of the Extensible Authentication Protocol (EAP)
802.1x Authentication
§10.4 Security in Ad hoc Networks
Security “on the air” Secure routing PKI in Ad hoc
45
“Over the Air”
Threats due to wireless communication Attacks
Eavesdropping, jamming, spoofing, “message attacks” Sleep deprivation torture
Counter measuresFirst attacks are not specific to ad hoc networks, well researched in military context:frequency hopping, spread spectrum
46
Secure Routing
Great number of attacks possible byNot participating at all to save battery or partition the network
Spamming the network with RREQ
Changing routing information in RREP messages
Constantly or never replying with RERR
…
47
Securing Routing
IdeaPunish non collaborative/malicious nodes by non-forwarding their traffic
How to achieve?Detection through “neighborhood watch”
Building a distributed system of reputation
Enable “re-socialization” through timeouts in the black list.
Securing Routing Information
IdeaShare the routing information through a secure channel
How to achieve?Requires key management and security mechanisms
PKI in Ad hoc
Threshold Cryptography Self-organized PKI
50
Threshold Cryptography
Emulate the central authentication authority by distributing it on several nodes acting as servers
Private Key is divided into n shares s1, s2, ... sn
51
Threshold Cryptography
(n, t+1) threshold cryptography configuration
n servers, if t are compromised,it is still possible to perform the service
E.g. (3, 2) threshold cryptography scheme
52
Threshold Cryptography Threshold cryptography seems to be a very robust solution However it needs some nodes to assume special behaviour For instance it is appropriate for military applications Inadequate for civilian networks
Users behave in a completely selfish way
53
Self-organized PKI Certificate issued by users
Bind public key to an identity Each user maintains a local certificate repository
Certificates issued by itselfOther certificates selected using some algorithms (Shortcut Hunter)Size of certificate repository is small compared to the total number of users in the system
54
Self-organized PKI How it works
u wants to verify the public key of v
u and v merge their local certificate repositories (subgraphs)
u tries to find a certificate chain (path) from u to v in the merged repository
subgraph of u
subgraph of vpath from u to v
v u
55
Self-organized PKI
Only probabilistic guarantee to find an appropriate certificate
Security self-organized as the WWW?How can these mechanisms be put in place preventing their misuse?
§10.6 Mobile Commerce
M-commerce, M-business Any e-commerce done in a wireless environment,
especially via the Internet Creates opportunity to deliver new services to existing
customers and to attract new ones
Attributes and Economic Advantages
Mobility—users carry cell phones or other mobile devices Broad reach—people can be reached at any time Ubiquity—easier information access in real-time Convenience—devices that store data and have Internet,
intranet, extranet connections Instant connectivity—easy and quick connection to Internet,
intranets, other mobile devices, databases Personalization—preparation of information for individual
consumers Localization of products and services—knowing where the
user is located at any given time and match service to them
Mobile Service Scenarios
Financial Services.
Entertainment.
Shopping.
Information Services.
Payment.
Advertising. And more ...
Architecture of M-commerce
Mobile Payment
Can be a stand-alone serviceCan also be an important enabling service for other m-
commerce servicesCould improve user acceptance by making the services
more secure and user-friendly.
Mobile Payment
Customer requirements: a larger selection of merchants with whom they can
trade a more consistent payment interface when making
the purchase with multiple payment schemes, like:• Credit Card payment• Bank Account/Debit Card Payment
Merchant benefits:brands to offer a wider variety of paymentEasy-to-use payment interface development
Bank and financial institution benefitsto offer a consistent payment interface to consumer and merchants
Payment via Internet Payment Provider
WAP GW/Proxy
SSL tunnel
MeP
GSM Security
SMS-C
User
Browsing (negotiation)
Merchant
Mobile Wallet
CC/Bank
IPP
Payment via Integrated Payment Server
WAP GW/Proxy
ISO8583 Based
CP
Mobile CommerceServer
GSM Security
SMS-C
User
Browsing (negotiation)
CC/Bank
Merchant
Mobile Wallet
Voice PrePaid
VPP IF
SSL tunnel
Limiting Technological Factors
Mobile Devices•Battery•Memory•CPU•Display Size
Networks•Bandwidth•Interoperability•Cell Range•Roaming
Localisation•Upgrade of Network•Upgrade of Mobile Devices•Precision
Mobile Middleware•Standards•Distribution
Security•Mobile Device•Network•Gateway
Security of M-commerce
A Summary
Security in Cellular NetworksGSM and UTMS
Access network security Security in WLAN
WEP
WPA/WPA2 Security in Ad hoc Networks
PKI M-commerce