Please enable JavaScript.
Coggle requires JavaScript to display documents.
Network Security 6 - Link Level Security (Wired Networks (IEEE 802.1X…
Network Security 6 - Link Level Security
Introduction
Data Link Layer
Goals
The goal pf the data link laye ris to provide reliable, efficient communicatoin between adjacent machines connected by a single communication channel
mechanisms
grouping of Physical level bitstreams into frames
checksums -> calculate + send
receiver recomputes checksum + compare
ACKS / NACKS
Flow Control
Layer 2 Security Services
Confidentiality
data origin authentication
connectionless integrity
access control
Wired Networks
Network Access Authentication
A mechanism by which access to the network is restricted to authorizes entities
Once authenticated, the session needs to be authorized
Authorization can include things like VLANID, rate limits, filters, tunneling, etc...
Problems
each user on a multi-user machine does not need to authenticate once the link is up, so it doesnt guarantee that only the authenticated user is accessing the network
Hijacking by external attacker
to prevent hijacking, you need per-packet authentication
encryption orthogonal to authentication
per-packed MIC based on key derived during the authentication process, linking each packet to the identity claimed in the authentication
Why do Authentication at the Link Layer
fast, simple and unexpensive
client doesnt neet network (services) access to authenticate
enables authoring all protocols at the same time
IEEE 802.1X
What it is
a framework for authentication and key management
Standard for authenticated and auto-provisioned LANs
Security Philosophy
Approach: a flexible security framework
implement security framework in upper layers
enable plug-in of new authentication, key management methods without changing NIC or Access Point
Leverage Main CPU resources fpr cryptographic calculations
Advantages
descreases hardware cost and complexity
enables customers to choose their own security solution
can implement the latest, most sophisticated authentication and key management techniques with modest hardware
enables rapid responses to security issues
controlled and uncontrolled ports
introduces notion of two logical ports
uncontrolled port allows to authenticate a device
the controlled port allows an authenticated device to access LAN services
Security Protocols and Message Exchange
EAP - Extensible Authentication Protocol
what is it
provides a felxible link layer security framework
simple encapsulation protocl
based on TLS, SRP (Secure Remote Password)
RADIUS - Remote Access Dial in User Service
Support authentication, authorization, and accounting fpr network access
allows centralized administration and accounting
Conversation
Supplicant - Authenticater - Auth. Server
Point - to - point protocolls (PPP)
Purpose and Tasks
WAN connections between routers
Internet access of a PC via modem
Security Services
Password Authentication protocl (PAP)
Challenge Handshake Authentication Protocoll (CHAP)
Extensible Authentication Protocol (EAP)
Comparison PPTP and L2TP
both protocols
use PPP to provide an initial envelope for user packets
extend the PPP model by allowing the layer-2 and the PP endpoints to reside on different devices
support voluntary and compulsory tunneling
underlying network
PPTP requires an IT network to transport PDUs
L2TP suppotrs different technologies
PPTP can only support a single tunnel between end points; L2TP allows fot the use of multiple tunnels between end points
both protocols provide header compression
L2TP provides tunnel authentication, while PPTP does not
Wireless networks
Security Requirments
Confidentiallity
messages sent over a wireless links neet to be encrypted
Authenticity
origin of messages needs to be verified
replay detection
Integrity
cannot edit messages
Access control
only to legitimate entities
availability
protection against jamming and DoS attacks
IEEE 802.11 - Architecture of an Infrastructure Network
Station (STA)
Terminal with access mechanism
Basic Service Set (BSS)
group of stations using the same radio frequenz
Access points
station integrated into the wireless LAN and the distribution system
Portal
Bridge to other wired networks
distribution system
interconnection network to form one logical network
WEP - Wired Equivalent Privacy
weaknesses
The Keys
does not specify any key management
key length - to short
Confidentiality
reuse of keystream
Integrity and Replay Protection
without knowing the key, the attacker can produce a message that seems authentic
Access Control is insecure
Key Scheduling
Life after WEP
WPA - WiFi protected Access TKIp + RC4
WiFi Protected Access 2: AES CCMP
intermediate solution
Temporal Key Integrity Protocl (TKIP)
Design Goals
Quick fix to exisiting WEP problems
can implemented in WEp hardware
main concepts
Message Integrity Codes (MIC)
Sequence Counter
Dynamic Key management
key mixing
long term solution
AES in WLAN
Counter mode with Cipher Block Chaining Message Authentication (CCMP)
IEEE 802.11i
Authentication
IEEE 802.1X
port based network access control
authentication and authorization of devices attached to LAN
Only WAP traffic allowd before authentication
roles
Supplicatn (STA), Authenticator (AP)
Authentication Server (AS)
Remote Acces Dial-in-User Service (RADIUS)
EAP
Extensible Authentication Protocl
Authentication Framework
different Authentication methods
Key Hierachy
PSK: pre-shared-key
MSK: master session key
MSK/POSK known only to STA and AS
PMK: Pairwise Master Key
key derived from the EAP-TLS (MSK)
PTK: Pairwise Transient Key
collection of operatoinal keys
KCK (EAPOL Key Confirmation Key): used to prove der possession of PMK
KEK (EAPOL Key Encryption Key): distribution of group transient key (GTK)
TK (Temporal Key) used for encryption
GTK: Group Transient Key
Atacks and Countermeasures
inherited attacks
de-authentication, de-association
Security level rollback attack
reflection attack
Denial of Service