Secure and Flexible Wireless Communication Model MARCUS B ERGENLID

Pages 31
Views 2
of 31
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Secure and Flexible Wireless Communication Model MARCUS B ERGENLID Master of Science Thesis Stockholm, Sweden 2011 Secure and Flexible Wireless Communication Model MARCUS B ERGENLID Master s Thesis in
Secure and Flexible Wireless Communication Model MARCUS B ERGENLID Master of Science Thesis Stockholm, Sweden 2011 Secure and Flexible Wireless Communication Model MARCUS B ERGENLID Master s Thesis in Computer Science (30 ECTS credits) at the School of Computer Science and Engineering Royal Institute of Technology year 2011 Supervisor at CSC was Douglas Wikström Examiner was Johan Håstad TRITA-CSC-E 2011:132 ISRN-KTH/CSC/E--11/132--SE ISSN Royal Institute of Technology School of Computer Science and Communication KTH CSC SE Stockholm, Sweden URL: Abstract Today, almost every household has a wireless network and this development has increased the demands of wireless network security. The security issues has been addressed over the years and standards have been developed that meets all requirements in most situations. A very important security factor is to not use short and predictable keys, instead long and randomized keys should be used but these are difficult for a normal user to remember. It could also be quite difficult (if not impossible) and error prone to enter a long random password on devices with a very limited user interface such as mobile phones and web cameras. This thesis mainly investigates different ways of performing secure device pairing that is still simple to perform for the end user. The main focus lies on the ability to use the visual channel as an alternative communication channel. Referat Säker och flexibel trådlös kommunikationsmodell Säkerhetskraven på trådlösa nätverk har ökat i takt med att dessa blivit allt mer vanliga och idag finns standarder som uppfyller kraven i de flesta fall. En mycket viktig komponent i nätverkssäkerhet är dock att inte använda korta eller förutsägbara nycklar, utan istället långa och slumpmässigt valda. Sådana nycklar är dock svåra för användaren att komma ihåg och det kan vara ganska svårt (för att inte säga omöjligt) att felfritt mata in dessa på enheter med ett begränsat användargränssnitt såsom mobiltelefoner eller web-kameror. Det här exjobbet går i huvudsak ut på att undersöka olika sätt att para ihop enheter som har ett väldigt begränsat användargränssnitt och samtidigt hålla nere enkelheten för användaren. Huvuddelen kommer att fokusera på att använda den visuella kanalen som en alternativ kommunikationskanal. Contents List of Figures List of Tables 1 Introduction Background Problem specification Notation Previous work Existing standards Security in IEEE Security in IEEE i WPS Cryptographic hash functions Identification and key agreement Diffie-Hellman Key agreement Public key infrastructure Diffie-Hellman with certificates Manual Authentication SiB Commitment schemes Identify the options Data protection Device pairing and key agreement External pairing server Out-of-Band channels Denial of Service Device pairing Pairing via visual indication to user Issues Improvements of the visual indication scheme 4.2 Analysis of Out-of-Band channels Physical channel Visual channel Barcode as visual channel LED as visual channel Push button Pairing through visual channel High bandwidth visual channel Low bandwidth visual channel Conclusions Device pairing Future work Bibliography 39 List of Figures 1.1 Communication in the alarm system A typical LSC used in this thesis A first approach to a scheme using visual indication Man in the middle attack on the first approach to visual indication Improved identification scheme Man-in-the-middle attempt on the improved scheme in figure Transmitting the string Authentication through high-bandwidth visual channel Man-in-the-middle attempt on the high-bandwidth visual channel Authentication through visual channel List of Tables 4.1 Errors in receiving the bit string 3295F4A 16 with maximum difference vs sliding mean Average error rate with different time intervals using a camera at about 6cm from the light source Error correcting code with two symbols and three bits Comparison of the probability of forging the confirmation value when transmitting for 5 seconds Comparison of the probability of forging the confirmation value when transmitting for 10 seconds Chapter 1 Introduction Wireless alarms for personal use in houses or apartments usually consists of a set of sensors, a user control panel and some kind of central unit responsible for handling the behaviour of the alarm. They all communicate via a wireless network, the sensors must notify the central unit if an intruder is detected and the user control panel should be able to send a disarm command when the user comes home and enters the correct PIN code. It is relatively easy for a user to add new sensors in these wireless alarms, as opposed to their wired counterpart, since no cables has to be laid across the room to connect the different components. To be as flexible as possible, the components themselves should not be configured to belong to a specific alarm system in advance. Instead a user should be able to take any device, compatible with the alarm system, and add it to his or her own alarm. Since it is easy for anyone in the close vicinity to intercept messages and transmit messages on a wireless network, it is important to consider some security issues that could appear in the alarm system. For example, we do not want any unauthorized persons to be able to look at images from our cameras so they have to be protected somehow. Similarly, an intruder should not be able to send a disarm command to the components in the system and then simply walk into the house without triggering the alarm. It would therefore be good if we could distinguish a real component from a fake one. Let us say we encrypt all messages with a secret key known only to the components. This way, only devices can read messages and any attempt from a fake device in sending a message will result in an invalid message that the receiver will discard. However, this raises the question of how to handle the situation where an intruder actually uses a component to send the message in the first place. Consider, for example, a situation where two neighbours, Alice and Bob, both have an alarm installed at home. They live close enough that both alarm systems are in each other s range. It would be bad if one of Alice s components suddenly starts sending messages to a component of Bob s alarm. In this situation, both devices are and there is no actual adversary that actively tries to sabotage the alarm, but we could still run into problems with which components to trust. Clearly, just being able to 1 CHAPTER 1. INTRODUCTION tell a and a fake component apart is not enough to solve the problem. All components belonging to a particular alarm should therefore be distinguishable from a component of any other alarm. If the components all look the same when delivered, it is far from trivial to tell any two apart. Consider the neighbour situation again, where Alice and Bob are about to add a sensor to their respective alarms. The expected outcome is of course that the sensor Alice is holding in her hand are added in a secure way to her alarm and vice versa. This should work even if the sensors got mixed up in the shipping and delivered to the wrong customer, the sensor to be connected is still the sensor that the user is looking at. This indicates that the decision about what alarm a device should belong to is not made until the user actually adds the device to his or her particular system. Obvious issues that needs to be considered are for example, how do we prevent the new device from accidentally connect to our neighbour s alarm? More seriously, how do we prevent or detect an intruder trying to impersonate the device at the same time we are connecting it? This is what device pairing is all about, taking any two wireless devices without any prior knowledge about each other and trying to establish a secure connection between them. 1.1 Background The alarm system is built on standard hardware such as routers, web cameras and Android devices. By not using custom built hardware, the product becomes cheaper than similar alarms on the market since the hardware is mass produced and not just made for this particular system. One of the major features in this system which differ from traditional alarms seen today is that the users are able to control the alarm remotely through a web interface and also look at the latest events. Typically, a customer has a central unit, the master in the system, which holds the state of the alarm and all peripheral components connected to the system, basically just a wireless router running custom software. Peripheral components are the sensors which react on events from the outside world and triggers an alarm if an intruder is detected. A panel with a user interface from which the end user can control the alarm is also connected to this wireless network. At present, the router is a Cisco wrt160nl running an OpenWrt Linux distribution 1 which is designed to be a general purpose operating system for wireless routers. The only sensors in use today are Acelink IP camera IC , the operating system on those are a Linux 2.4 kernel. Finally, the last component is the user interface, an Android tablet with API level 8 of the Android operating system 3 Figure 1.1 illustrates the basic communication flow between the components, the router broadcasts events about everything that happens in the alarm such as 1 OpenWrt Backfire 10.03, 1.2. PROBLEM SPECIFICATION Figure 1.1. Communication in the alarm system. the alarm is triggered, the alarm is activated etc. It also issues commands to the camera sensors in order to control their behaviour. The Android tablet listens to the events from the router and updates the GUI appropriately and sends commands to the router when the user interacts with it, such as alarm/disarm. Also, the camera sensors notifies the central unit about possible intruders that they detect. 1.2 Problem specification Wireless networks has been protected and encrypted for years and standards have been developed and are well used such as the Wifi Protected Access (WPA and WPA2). It is up to the end user to ensure that the network is set up properly and that keys are generated and kept private. When selling a product that is in itself a wireless network, especially when it comes to an alarm system with high security demands, the responsibility for security should not be put upon the customer. Therefore, the security should be implicit and somewhat transparent for the user so that it is simple to install. The security requirements for the alarm that are considered in this thesis are listed below. Data protection: Due to the sensitivity of the data being sent by camera sensors, an important security requirement is that all data is encrypted. Replay protection: It should not be possible to re-send a command. Availability: The system should be able to detect and handle all kinds of situations where one of the components is overloaded. Simplicity: The simplicity for the end user to install the system and add more devices is essential. The first item is quite obvious, the data should be kept private so that no unauthorized persons are able to read it. Next, a threat that could be serious in an alarm system are replay attacks, where an intruder records a command, for example a disarm command, in order to resend it later. This would not even require the attacker to understand the content of the command itself, it would be sufficient to know the effect of the command. Replay attacks could be avoided by including some unique information in each command such as a sequence number that is incremented 3 CHAPTER 1. INTRODUCTION for each command. Another option is to use a challenge-response procedure, before a command is processed the receiver sends a random challenge to the sender of the command and expects a result including a modification of that same random challenge. In a real time system, such as this, deadlines are essential which means that the components of the system should be available at all times. There could be a serious threat if one sensor fails because it is overloaded, because of network failure or any other reason. Imagine an attack where an intruder in some way keeps a camera sensor busy and prevents it from doing its intended job, then the intruder could just walk in without triggering the alarm. The system should include means to prevent attacks like those. In addition to those requirements, it should still be simple for the end user to install the system and the user should not be required to handle long passwords or cryptographic keys. The most difficult part, as we will see, is to simplify the process of secure device pairing, especially on devices with a very limited user interface such as the sensors. A customer should be able to obtain any device, compatible with this system, and connect it to his or her alarm in a secure way. This authentication problem is usually solved by letting the two devices share a secret known only to those two devices. Some shared secret knowledge is even a requirement for secure authentication, because if A and B knows exactly the same things, there is no way for C to tell them apart. In many pairing situations, the devices does not share a secret and does not know anything about the other device either. This is especially true in an ad-hoc situation such as when paring two mobile phones via bluetooth or when connecting a laptop to a wireless network for the first time. The only one who knows which phones to connect in the bluetooth case is the user. In bluetooth pairing, the problem is commonly solved by letting the user come up with a secret, e.g a four digit PIN, just before the pairing and enter that secret into both devices. That gives the two devices a common secret and they will both require that the other device proves knowledge of this secret before continuing with the connection. However, this solution is not applicable when dealing with devices with a very limited user interface. It is difficult to enter even a simple four digit PIN on devices without a keypad for instance. An important part in the authentication process is also that this secret is never revealed so that someone else can use it later. Consider the example where users log on to a remote server. They enter their password on their local machine which sends the password to the server. The server checks if the password is correct and if so grants access to the server. What if someone eavesdrops on the communication between the client and the server? They would then be able to obtain the password and use it later to impersonate the real user and access the server in his name. We would like to provide this password information in a secure way so that no one but the server can read it. The interesting part here is the question of why we send the password to the server in the first place. Do we want to let the server know the real password? No, all we wanted to do was to provide enough information so that the server could answer the question: Does this user know the password or not? 4 1.3. NOTATION That is all the server needs to know to determine if the user should have access or not and sending the real password is just one way of letting the server answer this question. It would be better if we could design a protocol after which the server can determine, with high confidence, whether the user knows the password or not without revealing the real password. In the best case, the protocol should be designed in a way so that listening to the communication between client and server does not help an adversary at all in guessing the user s password. 1.3 Notation Some words about the notation in this thesis is included here to minimize the confusion. A symmetric encryption key that is intended to be known only to the users A and B is denoted as K A,B. On the other hand, to make a distinction from the symmetric ones, pk A and sk A are used for A s public and private keys respectively. K A,B (m) means that the message m has been encrypted with a key K A,B. When a message consists of a concatenation of smaller messages, say m 1, m 2 and m 3, two vertical bars are used as concatenation operator, e.g. K A,B (m 1 m 2 m 3 ). Other symbols are explained in the context they appear in. 5 Chapter 2 Previous work 2.1 Existing standards The standards most commonly used today to protect a wireless network is IEEE , which introduced Wired Equivalent privacy (WEP) and Wifi Protected Access (WPA) [2]. The Wifi Alliance 1 has also developed a standard to simplify the process of connecting new devices to a wireless network [3]. The following sections will briefly describe these standards Security in IEEE Wired Equivalent Privacy (WEP) was introduced in the IEEE standard [2] to encrypt the data in a wireless network. As the name indicates, the data privacy was meant to be equivalent to a wired network. This section will briefly explain how WEP operates. WEP uses the RC4 encryption algorithm which is a stream cipher that uses a key of the same length as the plain text and encrypts the message by XORing the plain text P with the key K, i.e. the encrypted text C is C = P K. This means that the key must be of the same length as the message being encrypted which makes it impractical since you would need very long keys to encrypt most messages. To solve this, the algorithm uses a shorter key (the WEP key that the user uses to connect to the network) as a seed to a random generator that produces a bit stream with sufficient length for each message. That bit stream is then used as the actual key to XOR with the plain text. The receiver who also has the same WEP key can upon reception generate the exact same bit stream by using the same random generator and decrypt the message with that. The decryption is done the same way, XORing the encrypted text C with the key stream K, P = C K, this works since c = x y x = c y. Due to the fact that packets can be lost during transit in a wireless network, the random generator is restarted for each frame being sent. Otherwise the two 1 7 CHAPTER 2. PREVIOUS WORK communicating parties random generators would be out of synch if a packet was lost. However, to use the same key stream to encrypt all messages introduces another problem, namely that an attacker are able to guess the key stream by using the fact that C 1 C 2 = P 1 P 2. Perform XOR on two cipher texts gives the same result as performing XOR on the corresponding plain texts. By guessing pieces of the plain text packets, could for instance be done quite easily with ARP 2 packets, an attacker can soon retrieve the whole plain text packets and then the key stream K is obtained with K = C P. To prevent the key stream to be repeated for each packet WEP uses a 24-bit initialisation vector (IV) randomly generated by the sender for each frame which is appended to the shared key before feeding it to the random generator. The IV must then be transmitted to the receiver in clear text along with the packet. We will not look any deeper into the flaws of the initial WEP protocol, it should be sufficient to say that it is possible for an adversary to recover the key with high probability in less than 60 seconds. Some attacks on WEP discovered over the years can be found in [22] and [9] Security in IEEE i Many of the flaws with WEP were fixed in Wireless Protected Access (WPA and WPA2) [2]. One of the key features is the new key hierarchy where each client has a unique key with the access point (AP). The top level key is the pre-shared key (PSK) or a master session key (MSK) depending on the authentication mode used. These keys are used to derive a pairwise master key (PMK) which the client and the AP uses to agree upon a pairwise transient key (PTK). The PTK is then used in all further communication between the client and the AP. Because of this, each client connected to the
Related Documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!