Thursday, February 2, 2012

Differences between IEEE 802.11i, IEEE 802.11r, IEEE 802.11k and IEEE 802.11w

IEEE 802.11i



IEEE 802.11i is an enhancement to the 802.11 standard. It is also known as WPA2. It specify security mechanisms for wireless networks such as Wi-Fi. IEEE802.11i replaces the previous security specification that is called Wired Equivalent Privacy (WEP). This is because WEP was known to have severe security weaknesses. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher WEP and WPA use the RC4 stream cipher. The 802.11i uses the four-way handshake process for authentication.




During the authentication process, the Access Point (AP) needs to authenticate itself to the clients (STA) and keys to encrypt the traffic need to be obtained. An Extensible Authentication Protocol (EAP) exchange may have provided the shared secret key Pairwise Master Key (PMK) earlier. This key is designed to last the entire session and should be exposed as little as possible. The four-way handshake is used to establish another key that is called the Pairwise Transient Key (PTK). It is to put through a cryptographic hash function. The four-way handshake is shown in the diagram below:



The handshake also yields the Group Temporal Key (GTK), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are that the AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK. The STA sends its own nonce-value (SNonce) to the AP together with the MIC. The AP will be used in the nect multicast or broadcast frame, so that the receiving STA can perform basic replay detection. The STA sends a confirmation to the AP.


IEEE 802.11r

This standard is designed to speed up the handoffs between APs or cells in a wireless Local Area Network (LAN). The speed up of handoffs is important as clients such as mobile phones must be able to rapidly disassociate from one AP and connect to another. These handoff must be fast as it can lead to transmission "hiccups", loss of connectivity and degradation of voice quality. 802.11r refines the transition process of a mobile client as it moves between access points. The protocol allows a wireless client to establish a security and QoS state at a new access point before making a transition, which leads to minimal connectivity loss and application disruption.




Before 802.11r, each device must perform a full 802.11x authentication with a back-end RADIUS-based authentication server to establish encryption keys when it roams between two APs.
With 802.11r, the initial association to the networks still involves an exchange with the authentication server, but roaming time is reduced because encryption keys are distributed throughout the infrastructure before a roam occurs using 802.11r's three-tier hierarchy.

IEEE 802.11k
802.11k is a standard for radio resource management. It aims to provide key client feedback to WLAN access points and switches. It defines a series of measurement requests and reports that detail both Layer 1 and Layer 2 client statistics. APs or WLAN switches may either ask clients to report data, or might request data from APs. Measurements of 802.11k defines:

  1. Roaming decisions
  2. Radio Frequency (RF) channel knowledge
  3. Hidden nodes
  4. Client statistics
  5. Transmit Power Control (TPC)
1. To improve roaming decisions, APs or WLAN switches can provide a site report to clients. The standard defines a beacon request, in which an AP asks a client to go to a specific channel and report all the AP beacons it hears. The AP will then collect the data and a WLAN switch will analyze the beacon information, such as what services and encryption types each AP suuports and how strongly the client heard the AP. The switch or AP generates an ordered list of APs, from best to worst service called the site report.


2. With 802.11k, an AP could have a client build a "noise histogram", which will display all non-802.11 energy on that channel. An AP also can request data about channel load or how long the channel was used during a given time.


3. With 802.11k, clients track hidden nodes and APs query clients for those lists. This information tells AP about clients on the edge of their cells. APs can use the information to direct clients to APs from which they would get better service.


4. With 802.11k, APs and WLAN switches can query all clients to get reports on their statistics. With both data sets, a WLAN system will have a more complete view of network performance. Such statistics are to track items such as retries, packets transmitted and packets received.


5. TPC was defined in 802.11h to meet regulatory requirements in the 5GHz band in Europe. With 802.11k, it is extending the use of TPC procedures in other regulatory domains and frequency bands to reduce interference and power consumption, and provide range control.




IEEE 802.11w

The IEEE 802.11w Task Group (TG) is authorized to improve the secuirty of wireless networks by protecting management frames. To protect the confidentiality of management traffic, IEEE 802.w TG assumes that the client and the AP have exchanged dynamic key content. This precludes the protection of any management frames prior to the delivery of key content, thus exposing the network name (SSID) information and other capability information needed for clients to connect to the network.
The 802.11w TG can identify spoof management frames that disregard some malicious traffic used to launch Denial-of-Service (DoS) attacks against the network, such as deauthenticate flood attack. The IEEE 802.11w TG has not indicated it intends to provide protection for control frames on the wireless network. Without protection, the attacker can choose from a variety of DoS attacks that exploit various wireless-medium control techniques.
Posted by at No comments:

Wednesday, January 11, 2012

Microsoft’s Active Directory Security Feature



What is Microsoft's Active Directory?

It is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Active Directory serves as a central location for network administration and security. It is meant for authenticating and authorizing all users and computers within a network of Windows. It is also responsible to assign and enforce security policies for all computers in a network and installing or updating software on network computers. The Microsoft Active Directory uses Lightweight Directory Access Protocol (LDAP).

This active directory is designed to handle a large number of read
and search operations, and a significantly smaller number of changes and updates. Microsoft's Active Directory is hierarchical, replicated and extensible. As it is replicated, users would not want to store dynamic data. There are three partitions; domain, schema and configuration. The domain partition contains users, groups, contacts and many other object types. The schema partition contains classes and attributes definitions. Whereas, the configuration partition contains configuration data for services, partitions and sites.




Microsoft's Active Directory Security Features

    • Centralized data store - All data in the Active Directory are represented in a single, distributed data store. This allows users to have an easy access to the information from any location. This also requires less administration, less duplication and improves the availability and organization of data.
    • Integration with the Domain Name System (DNS) - Active Directory uses DNS, an Internet standard service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Active Directory clients uses DNS to locate domain controllers.
    • Policy-based administration - In Active Directory, policies are used to define the permitted actions and settings for users and computers across a given site, domain, or an organizational unit.
    • Replication of information - Active Directory provides multi master replication technology to ensure information availability, fault tolerance, load balancing and other performance benefits.
    • Flexible, secure authentication and authorization - It provides protection for data while minimizing barriers to doing business over the Internet. Active Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol and Secure Sockets Layer (SSL). Active Directory also provides security groups that span domains.
    • Security Integration - Active Directory is integrated with Windows Server 2003 security. Access Control (ACL) can be defined for each object in the directory and on each property of each object. Security policies can be applied locally, or to a specified site, domain or an organizational unit.
    • Signed and encrypted LDAP traffic - By default, Active Directory tools in Windows Server 2003 sign and encrypt all LDAP traffic. Signing LDAP traffic guarantees that the packaged data comes from an unknown source and that it has not been tampered with.
    Posted by at 2 comments:

    LDAP Security Feature

    What is LDAP?

    LDAP stands for Lightweight Directory Access Protocol. It is used for Network Information Services (NIS). NIS systems store common configuration details for computers on a network. These servers also perform directory services and act as an authentication servers. LDAP is a software protocol for enabling anyone to locate organizations, individuals and other resources such a files and devices in a network. LDAP is a smaller version of Directory Access Protocol (DAP) which is a part of X.500. X.500 is a standard for directory services in a network. The data are usually more to being read than to be written on such that, there are no rollback and no transactions.


















    Security Features for LDAP:

    1. Simple Authentication
    2. Secure Sockets Layer (SSL)


    1. Simple Authentication:
    • Basic authentication
    • Microsoft Windows NT LAN Manager (NTLM)
    • Negotiate
    Basic authentication uses clear text passwords. Basic authentication must tell the LDAP server who is going to be accessing the data so that the server can decide what the client is allowed to see or do. If the client authenticates successfully to the LDAP server, when the server receives a request from the client, it will check whether the client is allowed to perform the request. This process is called access control.
    Microsoft Windows NT LAN Manager (NTLM) uses a simple LDAP connection to Windows Active Directory for further authentication. It uses a suite of authentication and session security protocols to authenticate the clients. However, it is still in development.
    To use Negotiate authentication, the web browser must be written to understand it and configure correctly to do so, and the computer used, needed to be authenticated by the jerberos infrastructure and receiver the appropriated key from the Key Distribution Center (KDC).


    2. Secure Sockets Layer (SSL)
    SSL protocol can protect the users' data from being sniffed by other people who have physicall access to the network. It uses a program layer that is located between the Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) layers. SSL uses the public and private key encryption system.


    References:

    Posted by at 2 comments:

    Tuesday, January 10, 2012

    X.500 Security Feature



    What is X.500?

    X.500 is a series of computer networking standards that is very similar to the concept of a physical telephone directory. The purpose of X.500 is to centralize an organization's contacts. This is so that anyone who is within the organization who has internet access can look up other people who are in the same organization, either by name or department. This would save time and also for convenience. X.500 is an Open Systems Interconnection (OSI) protocol for managing online directories of users and resources. It was developed by the ITU-IT (ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union) and was first approved in 1988. To add on, X.500 can be used to support X.400 and other messaging systems, not just for email usage.

    X.500 is originally designed to give humans information such as telephone numbers and postal addresses. It is also designed for message handling, file transfer and name mapping for X.400 addresses. X.500 Client Server model are:
    • Directory Service Agent (DSA) - A server that holds directory information.
    • Directory User Agent (DUA) - A client that connects to a DSA to access information.
    • The DUA and DSA communicates via an Access Protocol DAP.
    • A lightweight version of DAP is Lightweight Directory Access Protocol (LDAP).

    What are the Security Features for X.500?


    • Strong Authentication and Asymmetric Encryption (Hashing)
    Hashing is a transformation of a message into a usually shorter or a fixed-length value string. The algorithm that is used must have the characteristic that it is virtually difficult to create a message. To allow message integrity, the hash value would typically change noticeably if one bit is changed into the original message.
    Asymmetric encryption requires the use of an encryption key pair that consists of a private and a public key. A message that is encrypted using either the private or the public key can only be decrypted by using the other key. The owner of the key pair is in the position of the private key. The copies of the public key can be distributed to a few parties.

    • Decryption (Digital Signatures)
    A message that is encrypted by the private key can be decrypted by anyone who holds the public key. If decryption is possible, only the user who holds the private key can send the message. This is used to create digital signatures. When a message is digitally signed, a hash is created. The hash would then be encrypted using the private key. The receiver decrypts the signature using the public key. If the two hashes are similar, the receiver would know that the message has been transmitted without a change and that the receiver would know if the sender is real and not a fake. This digital signatures also gives an end-to-end security in a distributed environment.


    References:
    Posted by at 2 comments:

    Thursday, January 5, 2012

    GPRS Security Feature, Threats and Solution



    What is GPRS?

    General Packet Radio Service or well known as GPRS, is a packet-based wireless communication service. It provides a continuous connection to the Internet for mobile phone and computer users. The higher data rates allow users to have a chance in using video conference and to also access websites that has multimedia. GPRS is based on Global System for Mobile (GSM) communication. The second generation of GPRS (2G) has data rates from 56Kbps to 11Kbps. Through the years, the enhancement of 2G has produced the third generation of GPRS (3G). 3G means that it uses EDGE (Enhanced Data Rates for Global Evolution) which delivers up to 4 times the GPRS rate.

    GPRS Security Features:

    • Integrity - It is a security service that ensures that the data cannot be modified in an unauthorized manner.
    • Confidentiality - It is the protection of data from disclosure to unauthorized third parties.
    • Authentication - It provides assurance that a user in data communication is real; who or what they claim to be.
    • Authorization - It is a security feature that ensures a user may only perform the actions that they are allowed to perform.
    • Availability - It means that data services are usable by the appropriate users in the manner intended.
    GPRS Threats:

    Availability
    - The most common type of attack on availability is Denial of Service (DoS) attack. Some of the types of DoS are:
    • DNS (Domain Name System) Flood - DNS servers on the network can be flooded with either corrupted DNS queries or others traffic. Therefore by doing this, others users will not be able to locate the Gateway GPRS Support Node (GGSN) to use an external gateway.
    • Border Gateway bandwidth saturation - A rogue operator that is connected to the same GPRS Roaming Exchange (GRX) may have the ability to generate enough amount of network traffic. It would then deny roaming access to or from the network.
    Authentication and Authorization
    - An imposter may appear to be a genuine user when they actually not. Some examples are:
    • Overbilling Attacks - This attack is when a rogue mobile station hijacks an IP address of another mobile station and invokes a download from a rogue server on the Internet. The mobile station that was attacked, receiving the download would get charged for traffic that it did not request. The same rogue attacker could also execute this attack for the purpose of sending broadcasts of not requested data in the direction of the users' cell phones. This would then lead the user to be billed for data that they did not request and might not have wanted.
    • Forged Update PDP Context Request - An attacker insert their own Serving GPRS Support Node (SGSN) into the Go Text Protocol (GTP) session and hijack the user's data connection.
    Integrity and Confidentiality
    • Capturing a users' data session - If an attacker can access to GTP or the DNS traffic, they can potentially discover confidential user's information. Without encryption, this data can be read or manipulated by unwanted parties.
    GPRS Solutions:
    • Ingress and Egress Packet Filtering - This will help prevent the Public Land Mobile Network (PLMN) from being used as source to attack the other roaming users. If the mobile operator is connected to more than on GRX, it will ensure that rouge attackers cannot arrive on paths where the other users are not connected.
    • Overbilling Attack Prevention - Enable the GTP firewall to notify the network's firewall of an attack. The network's firewall would then be able to terminate the "hanging" session, thus cutting of unwanted traffic. Therefore, the GPRS users would not be overbilled.
    • GTP Traffic Shaping - GTP rate limiting should be implemented to prevent the shared resources of bandwidth to be consumed or stolen by an attacker.

    References:
    Posted by at 2 comments:
    Labels:

    GSM Security Feature, Threats and Solution




    What is GSM?

    Global System for Mobile Communications or widely known as GSM, is a digital mobile telephony system. GSM alters and compresses data. It will then be sent down to a channel with two other streams of user data, each in its own time slot. It operates at either the 900Mhz or 1800Mhz frequency band.

    Security Features:

    • Authentication - The user is identified by the network operator. This information along with the user's authentication key, includes sensitive identification credentials. The design of the GSM authentication and encryption schemes is such that, this sensitive information would never be transmitted over the radio channel. The network operator uses a challenge-response mechanism to confirm the user is not a fake.
    • Signaling and Data Confidentiality - This protects voice, data and sensitive signaling information against eavsdropping on the radio path.
    • Anonymity - This protects against someone tracking the location of the user. It also protects against someone identifying calls made to or from the user by eavesdropping on the radio path.
    However, there are some problems with GSM security. Some examples are that, it only provides access security. This means that communications and signaling traffic in the fixed networks are not protected. Another example of the problem with GSM security is that is has a lack of user visibility. This means that for example, the user would not know if the authentication is encrypted or not.


    GSM Threats:

    • Eavesdropping
    - This means that an intruder can intercept the traffic and signaling information to other users. The required equipment for eavesdropping would be a modified mobile phone.

    • Impersonation of a User
    - This means that there is a rogue data or signaling messages that was sent to the network with the intent of making them appear to be from another user. To impersonate another user also requires a modified mobile phone.

    • Impersonation of the Network
    - This means that there is a rogue data or signaling message that was sent to another user with the intent of making them appear from a real genuine network. To impersonate a network, it also requires a modified mobile phone.

    • Man-In-The-Middle (MITM)
    - This means that an attacker is put itself in between the network and the valid user in order to eavesdrop, modify, delete, re-order or even forge the signaling data between the two parties.

    • Network Authentication Compromise
    - This means that the intruder has a compromised authentication vector which may include challenge/response pairs, cipher keys and integrity keys. This data may have been taken by intercepting signaling messages on network links.

    GSM Solutions:

    • Securing the backbone traffic - Encrypting the traffic between the networks can prevent the attacker to eavesdrop or modify the transmitted data.
    • Using secure algorithms - The network operators could perform improvement on themselves, without any need for the hardware and software manufacturers.
    • Change to a more secured platform.


    References:
    Posted by at 1 comment:
    Labels:
    Subscribe to: Posts (Atom)