Ανάπτυξη του πρωτοκόλλου CCMP για ασφαλή ασύρματα δίκτυα 802.11 σε FPGA / FPGA implementation of the CCMP protocol for secure wireless networks 802.11

Λαουδιάς, Χρήστος

16 May 2007

Τα ασύρματα δίκτυα που βασίζονται στο πρότυπο ΙΕΕΕ 802.11 είναι σήμερα από τα πλέον δημοφιλή παγκοσμίως. Παρόλη την ευρεία διάδοσή τους υπάρχει σημαντικό πρόβλημα όσον αφορά την ασφάλεια των δεδομένων που διακινούνται εντός του δικτύου. Αρχικά, στο πρότυπο οριζόταν μία μόνο μέθοδος για την ασφάλεια των πληροφοριών, που ονομάζεται WEP (Wired Equivalent Privacy) και βασίζεται στον αλγόριθμο κρυπτογράφησης RC4. Ήδη από το 2000 το WEP έχει αποδειχθεί ανεπαρκές και οι προσπάθειες για την αύξηση του επιπέδου της ασφάλειας οδήγησαν πρόσφατα στο πρότυπο ΙΕΕΕ 802.11i. Το πρότυπο ορίζει μία νέα μέθοδο, που εγγυάται την ασφάλεια των δεδομένων στο MAC επίπεδο. Ονoμάζεται CCMP και βασίζεται στον αλγόριθμο κρυπτογράφησης AES (Advanced Encryption Standard). Το CCMP παρέχει εμπιστευτικότητα (confidentiality), επικύρωση (authentication), ακεραιότητα (integrity) και προστασία από την επανάληψη πακέτων (replay protection). Βασίζεται στη χρήση του αλγόριθμου κρυπτογράφησης AES σε κατάσταση λειτουργίας CCM. Το CCM συνδυάζει την κατάσταση λειτουργίας CTR (Counter mode) για εμπιστευτικότητα και την CBC (Cipher Block Chaining mode) για επικύρωση και ακεραιότητα. Το CCM προστατεύει την ακεραιότητα τόσο των δεδομένων του πακέτου, όσο και συγκεκριμένων τμημάτων της επικεφαλίδας του πακέτου. Η επεξεργασία που γίνεται στο CCMP από τον αλγόριθμο AES χρησιμοποιεί μέγεθος κλειδιού 128-bit και μέγεθος μπλοκ 128-bit. Μετά την επεξεργασία από το CCMP το μέγεθος του πακέτου έχει επεκταθεί κατά 16 bytes, 8 bytes για την επικεφαλίδα του CCMP και 8 bytes για την ψηφιακή υπογραφή MIC (Message Integrity Code). Τα δεδομένα του πακέτου και το MIC μεταδίδονται κρυπτογραφημένα, αφού προστεθεί η αρχική επικεφαλίδα του πακέτου και η επικεφαλίδα του CCMP. Στα πλαίσια της διπλωματικής μελετήθηκαν διάφορες αρχιτεκτονικές για την υλοποίηση του συστήματος κρυπτογράφησης/αποκρυπτογράφησης σύμφωνα με το CCMP. Οι αρχιτεκτονικές αυτές παρουσιάζουν διαφορετικά χαρακτηριστικά όσον αφορά την επιφάνεια, την ταχύτητα λειτουργίας και το συνολικό throughput. Η υλοποίηση και ο έλεγχος ορθής λειτουργίας των σχεδιασμών έγινε σε τεχνολογία FPGA Spartan-3 της εταιρίας Xilinx. / Today, wireless networks IEEE 802.11 are very popular. Despite their worldwide deployment there is significant problem, as far as the security of the data exchanged through the network, is concerned. Initially, there was only one method defined for the security of information, called WEP (Wired Equivalent Privacy). WEP is based on the RC4 encryption algorithm. It is proven, since 2000, that WEP provides insufficient security and recent research efforts in the direction of a more secure solution have led to IEEE 802.11i standard. A new method, applied in the MAC layer, which provides a higher level of security, is defined in this standard. This method is called CCMP and is based on the AES encryption algorithm (Advanced Encryption Standard). CCMP provides confidentiality, authentication, integrity check and replay protection. It uses AES in the CCM mode of operation. CCM combines the CTR (Counter) and CBC (Cipher Block Chaining) modes of operation, for confidentiality and authentication/integrity, respectively. CCM protects the integrity of plaintext data, as well as selected portions of the IEEE MAC header. CCMP processing uses AES with 128-bit encryption key and 128-bit block size. CCMP extends the original packet size by 16 bytes; 8 bytes for the CCMP header and 8 bytes for the digital signature called MIC (Message Integrity Code). Plaintext data and MIC are encrypted and the original MAC header, as well as the CCMP header is included in the packet before transmission. Various architectures for the implementation of an encryption/decryption system based on CCMP were studied. These architectures have different characteristics concerning area overhead, minimum clock period and overall throughput. Circuits were implemented and verified using Xilinx’s Spartan-3 FPGA technology.

CCMP

AES

FPGA

Wireless

Ασύρματα δίκτυα

Ασφάλεια

384.5

CCMP

AES

FPGA

Security

Υλοποίηση κρυπτογραφικού συστήματος σε υλικό για ασύρματες επικοινωνίες

Πρασσά, Διονυσία

31 October 2008

Η αυξανόμενη χρήση ασύρματων συσκευών προωθεί την υλοποίηση WLANs, διευκολύνοντας τον χρήστη να έχει πρόσβαση στις πηγές του δικτύου οποιαδήποτε στιγμή και από οποιοδήποτε σημείο. Όμως, ένα από τα προβλήματα που εισάγει η ασύρματη επικοινωνία είναι η ασφάλεια των μεταδιδόμενων δεδομένων όσον αφορά το ασύρματο κομμάτι της σύνδεσης, δηλαδή μεταξύ χρήστη και σημείου πρόσβασης ή μεταξύ δύο χρηστών. Το νεότερο πρωτόκολλο προστασίας που διευθετεί το θέμα της ασφάλειας είναι το IEEE 802.11i. Σκοπός αυτής της διπλωματικής εργασίας είναι η μελέτη και η υλοποίηση του μηχανισμού κρυπτογράφησης του πρωτοκόλλου CCMP σε γλώσσα περιγραφής υλικού VHDL, που αποτελεί το κύριο πρωτόκολλο προστασίας δεδομένων που ορίζει το πρωτόκολλο IEEE 802.11i. / The growing use of wireless applications boosts the evolution of WLANs, so that the user can have full access to the net sources regardless time and place. However, one of the biggest issues of wireless communications is the safety of the transported data between the station and the Access Point or between the two stations. IEEE 802.11i is the recent protocol for protection in WLANs. The goals of this thesis are the study and the development of the cryptographic protocol CCMP in VHDL. CCMP is the mandatory cryptographic protocol defined in IEEE 802.11i.

005.82

Wireless communications

CCMP

AES

IEEE 802.11i

Bezpečnostní analýza bezdrátových sítí / Wireless networks security analysis

Szőcs, Juraj

January 2010

This master’s thesis deals with analysis of security in wireless networks. There are desc- ribed various methods of security systems, such as WEP, TKIP and CCMP. There is also realization of attacks against the wireless network and there is analysis of security weaknesses. Then there are discussed possible defense mechanisms. Part of this work was also analysis of local security in certain areas and evaluation of their security.

Analýza šifrovacích algoritmů ve standardu 802.11 / Analysis of Cryptographic Algorithms 802.11

Vojtíšek, Jindřich

January 2014

This work deals with wireless standard 802.11, primaly about security algorithms used in them. Further there is made analysis of algorithms WEP, WPA and WPA2. This algorithms are described how coding by them works and for easier understandig are added block schemes of their principles. In practical part is realized algorithms WEP, WPA and WPA2 in program Matlab simulink. Model is complemented by graphs which shows how data changes when comming throught this systems.

Zabezpečení bezdrátových sítí IEEE 802.11 / Security of wireless computer networks IEEE 802.11

Škodák, Jaroslav

January 2008

This work describes available and used standards, protocols and mechanisms used to secure IEEE 802.11 wireless networks. In the next section are listed vulnerabilities and possible attacks against different types of security. The principles of individual attacks on authentication, WEP security and WPA/WPA2 personal mode are described and realized using various software especially linux program aircrack-ng. Password for WEP security is obtained by passive eavesdropping data, using ARP replay injection and by creating own frames. The last two methods are used to generate traffic on the network, which is captured and then used to derive the WEP password. By injecting ARP frames, password was found in the number 60 000 captured frames and about 180 000 frames of data was needed for passive method. Decryption of WEP frame was done by fragment and KoreK chopchop attacks. This decrypted frame could be used to create fake frames and obtain WEP password. Brute force attack is realized for security WPA (WPA2) personal mode (often due to lack of strong password) by comparing password (passphrase) from password list. Speed of comparing is about 200 passwords/s.

Analyzing Wireless LAN Security Overhead

McCarter, Harold Lars

16 May 2006

Wireless local area networks (WLAN) are beginning to play a much larger role in corporate network environments and are already very popular for home networking applications. This increase in accessibility has created large security holes for hackers and thieves to abuse, which is finally being addressed by stronger security methods such as advanced encryption algorithms and efficient authentication processes. However, these security methods often hamper network performance unbeknownst to engineers and users. This research examines the effects of Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and Counter Mode/CBC-MAC Protocol (CCMP) encryption algorithms on throughput rates for IEEE 802.11 networks as well as the authentication times for Lightweight Extensible Authentication Protocol (LEAP) and Protected Extensible Authentication Protocol (PEAP). The research shows that today's wireless hardware is capable of reducing overhead of even the most advanced encryption schemes to less than five percent of the total bandwidth. / Master of Science

TKIP

Wireless Network Security

Encryption Overhead

Authentication Delay

CCMP

PEAP

WEP

LEAP

Wireless-LAN im Studentennetzwerk (CSN)

Glöckner, Alexander

02 April 2006

Inhalt der Diplomarbeit sind Untersuchungen zur Authentifizierung und Verschlüsselung von drahtlosen Netzwerkverbindungen.

802.1X

AAA

AES-CCMP

DIAMETER

EAP

TKIP

VPN

WPA2

ddc:004

Netzwerk

RADIUS <Informatik>

Virtuelles privates Netzwerk

Bezpečnost bezdrátových počítačových sítí / Security of wireless computer networks

Jelínek, Martin

January 2010

The master's thesis deals with the issue of Wireless Local Area Network (WLAN) from the viewpoint of the security and functional principle of security mechanisms. The transition to the issue concerning the security is accompanied by the methods of wireless data transmission operating on the level of physical layer (FHSS, DSSS, OFDM, MIMO), which is followed by the summary of individual 802.11 standards. The next part deals with the issue of shared transmission medium (CSMA/CA), influence of interference and correcting mechanisms (RTS/CTS). Within the security, the principles of the authentication along with the commonly used methods of security (WEP, WPA, WPA2) are described in detail. The first part concerning security deals with the security in the form of the WEP protocol, which is considered insufficient nowadays and points out the imperfect implementation and the consequent risks. The following part describes the security in the form of WPA which eliminates the implementation weaknesses of the previous WEP security protocol. The description of commonly used mechanisms of authentication (PSK, 802.1x), required temporary key management (PTK, GTK), data integrity (MIC) and encryption which uses TKIP protocol are also included. The last part, possible WLAN security, is aimed at the full support of 802.11i standard, which is called WPA2 (sometimes RSN). That part describes the basic encryption security element CCMP, which is based on the AES block cipher modes. The practical part of the thesis deals with the security verification of current wireless networks. In the process of verification the accessible HW means and programming tools of Open Source Software (OSS) are used. By means of verification it has been pointed out that there are possible security risks resulting from the security method which has been used. Also several recommendations how to reduce the security risks of the used method to minimum are mentioned.

Wireless-LAN im Studentennetzwerk (CSN)

Glöckner, Alexander

14 December 2005

Inhalt der Diplomarbeit sind Untersuchungen zur Authentifizierung und Verschlüsselung von drahtlosen Netzwerkverbindungen.

info:eu-repo/classification/ddc/004

ddc:004

Netzwerk

RADIUS <Informatik>

Virtuelles privates Netzwerk

802.1X

AAA

AES-CCMP

DIAMETER

EAP

TKIP

VPN

WPA2

Zabezpečení bezdrátových sítí / Wireless Network Security

Sedlák, Břetislav

January 2009

Master thesis focuses on wireless network security. The thesis is divided in two parts. First part describes today’s used standards and their components, topology and security methods as stealth SSID, MAC addresses filtration, WEP, WPA and WPA2. The last three methods are described in detail. In second part there are realized attacks on above described methods of security. There are described attacks on WEP as KoreK chopchop attack, fragment attack, attack FMS, KoreK and attack PTW. Then is described the dictionary attack on passphrase by WPA/WPA2 with PreShared Key authentication obtaining, precomputed hash tables for faster passphrase finding and for using more core procesors during dictionary browsing. The last attack describes obtaining of keystream used for encrypting of frames by WPATKIP and then sending custom data to client. It is described how to carry out each attack and how to protect against them.