Architecture of Secure Cross-Platform and Network Communications Weijia Jia1
Dai Bin1,2
Lin Liao1
1 Deparment of Computer Science, City Univeristy of Hong Kong, Kowloon, SAR Hong Kong, China 2 Department of Electronic and Information, HuaZhong Univeristy of Science and Technology, Wuhan, China
{wei.jia,daibin}@cityu.edu.hk,
[email protected]
ABSTRACT
However, CPS is not a simple combination of separate network protocols. CPS brings up new security issues, which are out of the range of existing security concerns. In traditional security research, there is a hypothesis that the attackers and the victims are reachable in the same homogeneous network. However, for cross platform scenario the attackers can be from all kinds of network. Hence despite the patent advantages of such cross networks application, how popular they become eventually is tightly contingent on the security of these networks as CPS also has to consider issues like trans-protocols, trans-coding and trans-media. While the security of each separate network has been well addressed, the issue of end to end security of such cross platform networks is largely unexplored. When entities in such networks attempt to communicate across networks, there are a host of security vulnerabilities. Assume one scenario of CPS that one Internet service provider has to provide service to subscribers who may reside in heterogeneous networks. Obviously putting terminals on the networks indeed means exposing the vulnerability to all possible attackers in different network. Consequently, the server may not be able to respond to normal request because of the DoS attack. Therefore, the cyber/wireless environment can be the breeds for both services as well as the attacks.
The convenience of Wireless LAN and the deployment of 3G network make the cross platform/network services (CPS) are getting popular. The core reasons for vulnerabilities for CPS stems from the transform of data and control messages and protocol translation occurred in cross networks and platforms operations. During the translation/transcoding, new threats could be introduced as it may go beyond of data cryptography. We particularly investigate the threats facing in Internet-3G-WiFi and propose the architecture of the secure CPS (SCPS). We illustrate newly defined five types of attacks uniquely in CPS and analyze the traditional attacks (TA) and the cross platform attacks (CPA) which are conducted mode and propose the corresponding countermeasures to the attacks in the cross platform.
Categories and Subject Descriptors C.2.2 [Network Protocols]: Cross 3G, Ethernet and WiFi – cross network security design.
General Terms Security, Network, Management, Design.
Keywords
Fundamentally, the core reasons for vulnerabilities for CPS stems from the transform of data and control messages and protocol translation occurred in cross networks and platforms operations. This cross nature will bring into some security issues which are not covered by existing solutions alone. For instance, the cross operations often involve translation between signaling and media/data. During the translation/trans-coding, new threats could be introduced as the trans-coding may go beyond of data cryptography. Another reason of vulnerabilities is that when there is chain of communication traversing across multiple networks, it is very easy for attackers to breach the weakest link in the chain, and hence cause significant damages to otherwise well protected networks in the chain. In this paper, we investigate the threats facing in crossplatform/network services (CPS) and propose cross-platform secure architecture called Secure CPS (SCPS) and we revel five types of newly identified attacks (NA) uniquely in CPS and we analyze the cross platform attacks (CPA) which are conducted in the cross platform mode and study how the traditional attacks work in a cross platform/network application and what’s difference of the attack occurred with the same network. In the SCPS, we also propose the corresponding countermeasures to
Security, Cross-Platform, Cross-Network, 3G, Wi-Fi.
1. INTRODUCTION The convenience of Wireless LAN and the deployment of 3G network make the cross platform/network services (CPS) are more popular nowadays, which have spawned to include the Internet with metropolitan 3G, and Wi-Fi networks. It’s getting more impractical that the application only works within one separate network environment, since users are getting comfortable to access Internet via WLAN in daily use and use 3G cell phones to watch favorite TV programs from time to time or have a video conference with friends connected via WLAN. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
321
the attacks. To the best of my knowledge, it’s the first time to address the security requirement for CPS. The rest of the paper is organized as follows. Section 2 discusses the related works such as security research of 3G and Wi-Fi. Section 3 proposes the architecture of SCPS and the related threatens. Section 4 tackles with the Internet-3G-WiFi cross network attacks and countermeasures using VoIP as the illustrated applications. Section 5 concludes the paper.
attack to the nearby well-planned APs. Broadly speaking, there are two approaches to detect rogue APs. One is monitoring the radio frequency airwaves and the other is monitoring incoming traffic at an aggregation point. In [11], the author utilize the TCP ACK-pair technique to differentiate wired and wireless LAN TCP traffic and detect rogue access points using sequential hypothesis test applied to packet header. 3G Network Security: With the advent of Third-generation (3G) mobile systems a serious effort has been make to create a consistent security architecture based on the threats and risks a 3G system faces. In [12], it contains an evaluation of perceived threats to 3GPP and produces subsequently a list of security requirements to address these threats. The threats are mostly associated with attacks on the radio interface, terminal and UICC/USIM and the system design itself. In [13] defines the security architecture, i.e., the security features and the security mechanisms, for the third generation mobile telecommunication system. A security feature is a service capability that meets one or several security requirements. A security mechanism is an element that is used to realize a security feature. All security features and security requirements taken together form the security architecture. An example of a security feature is user data confidentiality. A security mechanism that may be used to implement that feature is a stream cipher using a derived cipher key. Although 3G cellular systems provide wide coverage and nearly live up to the bit rate expectations placed on them. On the other hand, WLAN system already offer bit rates surpassing those of 3G systems, but are often found lacking with respect to roaming and mobility support. In short, WLAN systems are great for hot sport coverage, while 3G systems provide global coverage and the necessary network and management infrastructure to cater for security, roaming, and charging requirements. However, the integration of different access technologies may bring the vulnerability of cross-platform attacks to the confidential information. Many threats against 3G network resources can be realized by attacking the WLAN access network, therefore it is important to identify the security requirements for 3G-WLAN inter-working and choose a security solution that is robust and dynamic to different levels of WLAN access network [14]. In [15], M. Sher and T. Magedanz presented vulnerabilities to threats and attacks 3G networks converged with WLAN and propose the security model addressing the roaming and non-roaming security scenarios. The proposed architecture is based on the Extensible Authentication Protocol (EAP) for USIM Authentication & Key Agreement (AKA) and authorization procedures, and secure tunnel establishment using IKEv2 (Internet Key Exchange) Protocol to minimize security threats. The authors also discussed the termination of fake or forge WLAN session to protect the user confidential information on vulnerable wireless link. The development is part of Secure Service Provisioning (SSP) Framework of IP Multimedia Subsystem (IMS) at 3Gb Testbed of Fokus Fraunhofer.
2. RELATED WORKS IEEE 802.11: The WEP protocol in IEEE 802.11 standard has been replaced by WPA/WPA2 because it has been broken in 2001. Fluhrer et al. identified recurring weak keys in WEP, and showed how to use them to recover the secret key [1]. Adam S. and John I. et al. demonstrate an implementation to recovery a 128-bit WEP key based on partial key exposure vulnerability in the RC4 stream cipher [2, 3]. Although WPA2 is more secure as comparing to WEP, in IEEE 802.11i the management frames are not authenticated. Hence 802.11 is highly susceptible to malicious denial-of-service attacks targeting its management and media access protocols [4]. A denial of network availability involves some form of DoS attack, such as jamming. These attacks can be easily accomplished by an adversary either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. John Bellardo etc describes existing denialof-service vulnerabilities in 802.11 MAC protocol and made a experimental analysis of de-authentication and virtual carriersense attacks and found the de-authentication DoS attack was highly effective in practice [5]. Wenyuan Xu etc proposed to use channel surfing and spatial retreats to defense against the wireless DoS. Channel surfing involves changing the transmission frequency to a range where there is no interference with the adversary; the spatial retreat involves wireless users moving to a new location where there is no interference. Additional the author proposed that by monitoring the sensing time before a channel becomes idle at the MAC layer and by observing the noise levels in the channel at the PHY layer are ways to detect a DoS attack [6]. Daniel B. Faria proposed a mobility-aware access control mechanism including SIAP and SLAP protocol; SIAP can avoids DoS attacks effective against DHCP servers; SLAP can disable some other attacks based on the use of shared keys [7]. In 2006, Paramvir B. etc proposed a frame of monitoring the enterprise wireless network called DAIR, which is effective for detecting DoS attacks and rogue wireless devices with dense deploy of sensors [8]. Radio signal strength indicator (RSSI) is usually adopted as an approach to identify the wireless devices. In [9], the author defines a signalprint for each packet of interest which is a tuple of RSSI by all APs in its range. It’s found that signalprints are strongly correlated with the physical locations. By setting certain comparison principles, we can detect the devices which are launching a DoS attack or impersonate attack by MAC address spoofing. As signalprint identification is hard to spoof, it has been proved effective in identify signal transmitter. Besides signal strength, radio frequency fingerprinting is another approach to identify wireless devices [10]. Another challenging issue in WLAN is rogue access point detection, i.e., wireless access points are without explicit authorization from a local network management. As in IEEE 802.11 standard, there is only one-way authentication defined, rogue APs usually open up to the network and steal sensitive information of users and launch
3. ARCHITECTURE OF SCPS The typical architecture of Cross Platform/Network (CPS) is as shown in Figure 1, where 3G network, 802.11 WLAN and WiMax are incorporated. We divide the whole architecture of the Secure CPS (SCPS) into three parts to elaborate: Internet-3G -Wi-Fi networks (we omit cross WiMAX network discussion due to lacking of space).
322
threats and complexity of detection. In this paper, we newly define five kinds of NAs in CPS, and analyze five TAs and 7 CPAs conducted in cross platform way totally, which are shown in table 1. For each attack mentioned, we propose the countermeasures or combination of them to mitigate the threats. We add C before each attack as the countermeasure for the corresponding attack.
4. SCPS FOR INTERNET-3G-WIFI CROSS-NETWORKS Internet-3G CPS involves trans-signaling and trans-coding which involve at least two parties of protocols. Currently, the 3rd Generation Partnership Project (3GPP) has adopted the H.324M [16] (standard by ITU to enable multimedia communication over low-bit rate terminals) with some modifications in codec and error handling requirements to create 3G-324M standard for multimedia stream (such as video calls) transmission [17]. 3G-324M is an umbrella protocol, referencing other important standards such as control protocol H.245 [18] and multiplexing/demultiplexing protocol H.223 [19] that specifying connection setup, negotiation and tear down and data multiplexing/demultiplexing. To understand the vulnerability due to the CPS, we first illustrate cross-protocol scenarios and the corresponding key operations in Table 2. In table 2, we consider four layers of a typical CPS application and the corresponding protocol translation following by the key operations in each protocol translation. In particular, we discovered three kinds of new attacks named as MCC, MFPF and CPDoS attacks. These new attacks are originated from the signaling translation and code translation procedure and not covered by previous protocols. In addition, we propose how the traditional attacks (TA1~TA4) work in Internet-3G cross network. Noted that 3G network inherits PSTN traditions, thus we consider the SCPS also applied to PSTN. In the following description of the attacks in Internet-3G, we may partly use video VoIP application to illustrate this concept, which is IP to 3G with packet-switched networks (SIP/RTP) cross to circuitswitched networks with 3G-324 as the transmission protocol.
Figure 1. Cross-Platform Network Architecture We categorize three of attacks in the CPS, e.g., traditional attacks in Internet (as abbreviation TA); newly identified attacks in CPS (as abbreviation NA) and cross-platform attacks (as abbreviation CPA). Table 1. Three Categories of Attacks in CPS Attack Categories Traditional Attacks (TA) TA1: Eavesdropping; TA2: Hijacking/Man-in-themiddle; TA3: Masquerading TA4: Tempering with Message Bodies TA5: Denial of Service
Countermeasures C1:Authentication and Authorization C2: Encryption C3: Integrity protection C4: Firewall
New Defined Attacks in CPS (NA) NA1: Malicious Codec Change (MCC) attack NA2: Malicious-formatted packet flooding (MFPF) attack; NA3: Cross-Platform Denial of Service (CPDoS) attack; NA4: Malicious code injection and traverse attack
C-NA1: Countermeasure to MCC attack C-NA2:Countermeasure to MFPF attack C-NA3:Countermeasure to CPDoS attack C-NA4:Wireless station hardening and wireless network monitoring based defense
Cross-platform Attacks (CPS) CPA1: Power Management attack CPA2: Traffic Analysis Attack CPA3:Packet modification/ deletion/replay attack
C-CPA1: Synchronization and encryption based defense C-CPA2: Hiding explicit and implicit identifiers C-CPA3:Cryptographic approaches
4.1. Attacks and Countermeasures for Internet-3G Cross Networks By observing the video VoIP call between Internet and 3G network, we summarize all the protocol key operation and translation scenarios as follows Table 2 [20]. For each protocol translation scenario, the key operation can be signaling/media translation and connection/route/link control. In Table 2, we put all the possible attacks in Internet-3G cross network including newly discovered attacks and traditional attacks specially threatening in a cross platform way. The illustrations of traditional attacks in cross Internet-3G-Wi-Fi scenarios are omitted in this paper due to lacking of space. Newly identified attacks for Internet-3G Cross networks are listed below:
Traditional attacks here means the well-known attacks in Internet but launched cross Internet-3G or Internet-Wi-Fi, which brings more difficulties to detect. New identified attacks in CPS are a series of attacks which we discovered in the cross platform/network applications. NA is driven by trans-signal, trans-coding and trans-data procedures in cross platform communication. Also we define cross-platform attacks are the attacks particular in certain networks such as Wi-Fi, but launched in cross-platform mode and lead to more serious
NA1: Malicious Codec Change (MCC) attack: MCC occurs when Internet media description based on SDP to cross to 3G324M control protocol H.245 where SDP will signal to H.245 what codec should be used for the media flows. This indication could be used by a malicious SDP with frequent RE-INVITE message for changing the codecs that cause H.245 to change the codecs subsequently and results in the slow response of real-
323
time service and mark-down the QoS. In the worst scenario, this attack will cause DoS of 3G service.
NA3: Cross-Platform Denial of Service (CPDoS) attack: CPDoS differs from the DoS in that DoS will concentrate all the attack messages to the same destination (server) in the same network. Therefore, the DoS can be normally detected through destination identification by firewall. However, CPDoS is a new attack in the sense that it may initiate many calls of different destinations to attack 3G networks for the reason that 3G network may use the same signaling port (SP) to relay the calls for various destinations. CPS brings a new vulnerability propagating DoS attack from Internet to the secure 3G network. The large amount of requests/calls may cause the 3G SP down or slow in response. Such attacks may escape from the detection of Internet IDS and prevail 3G networks after CPS. For instance, many VoIPs simultaneously call to the 3G parties.
NA2: Malicious-formatted packet flooding (MFPF) attack: MFPF occurs when media trans-coding from Internet to 3G network due to lacking of support to one codec. For instance, current 3G network does not support H.264 and any H.264 flow cross to 3G network requires such trans-coding. In the process of such trans-coding, malicious-formatted packets, as the payload, will pass to 3G codec for trans-coding and it may not be able to decode successfully, consequently the packets will be dropped out. However, continuous MFPFs may cause the codec to crash as the security measures are normally equipped into codec software.
Table 2. Attacks and Countermeasures for Internet-3G Cross Network Cross-protocol(Internet-3G)
Application Layer
Key operation
Attacks
SIPISUP
Signaling Translation Registration Session Initiation Session Termination
SDPH.245
Signaling Translation Capability Agreement Codecs Selection Codecs Modification
TA1: Eavesdropping (Include C1: Authentication (HTTP Digest, User Account, Network MD5) Topology, etc.) C2: Encryption (SIPS, SSL, TLS, TA2: Hijacking/Man in the PKI) Middle (Redirect Call) C3: Integrity Protection and Sequence TA3: Masquerading (Fake Number Check Registration/ Invitation/ C4: Firewall Teardown, etc.) C-NA3: Countermeasure to NA3 TA4: Tempering with SIP Headers NA3: Cross Platform DoS TA1: Eavesdropping C2: Encryption (SSL, TLS, PKI) TA4: Tempering with SDP C3: Integrity Protection and Sequence Bodies (Include Capability Set, Number Check Destination Address and Port, C1: Codec Modification etc.) Authentication NA1: Malicious Codecs Change C-NA1: Countermeasure to NA1 TA1: Eavesdropping C2: Encryption (SRTP) [21] TA5: Media packets flooding C3: Packets Content, Timestamp and (DoS, waste resource of Sequence Check transformation module of cross- C-NA3: Countermeasure to NA3 platform gateway) NA3: CPDoS C-NA2: Countermeasure to NA2 NA2: Malicious-formatted packet flooding
RTP/UDPH.223 Media Transformation Packet Re-Ordering Data Extraction Data Partition Packet Formation G.7xxAMR H.264H.263 H.263H.263 (Re-Resolution, Re-FrameRate, etc.) TCP/UDPSCCP
Media Transcoding Audio Decode Audio Encode Video Spatial transcoding Video Temporal transcoding Connection Control Connection oriented Establishment Connectionless oriented Establishment Connection Maintenance
Network Layer
IPMTP3
Route Control Routing Selection Traffic Control Link Management
Link Layer
802.3MTP2
Link Control Flow Control Re-Ordering Error Control
Transport Layer
Countermeasures
TA1: Eavesdropping C1: Authentication TA5: UDP request/response C2: Encryption (IPSec, SSL, TLS, flooding PKI) TA2: TCP session Hijacking C3: Integrity protection TCP SYN/ACK flooding C4: Firewall (TCP Session Control) TA4: Tampering Message (modification/deletion/replay) TA1: Eavesdropping C1: Authentication (802.1X, AH/ESP) TA2: Hijacking/Man in the C2: Encryption (IPSec, PKI) Middle (ARP spoofing, ICMP C4: Firewall (IP and Port Restricted) redirection, Malicious Routing C3: Integrity protection and Sequence Node/Signaling Node) Number Check TA4: Tampering Message (modification/deletion/replay) TA5: Ping flooding, ICMP unreachable Storm TA5: DoS (MAC/CAM flooding, C1: L2 DHCP flooding) Authentication(802.1X) TA2: Hijacking/Man in the C4: Firewall (DHCP and MAC/CAM Middle Restricted)
324
Countermeasures to the newly identified attacks C-NA1: Countermeasure to Malicious Codec Change (MCC) attack: To against MCC attack, we propose a post-SIP checking mechanism (called post_demon). The procedure is outlined below: Procedure CounterMeasureMCC; Var: sc: int (Counter of codec change request) tc:int (Time interval); 1 While 2 CES sets timer tc and refreshes a counter sc upon timeout of tc; 3 All SIP change codec request will be recorded into a counter sc; 4 If (sc>MCC_Threshold or service quality metric rating is satisfactory) 5 then reject the request; 6 Else the request is passed to H.245 protocol for codec change 7 End while Figure 2. Pseudo Code of C-NA1: Countermeasure to MCC Attack In the procedure, three important parameters will be evaluated: tc, MCC_Threshold and service quality metric rating. MCC_Threshold is easy to decide once it is greater than a certain number, say, 3. However, deciding tc requires a statistic model that for normal operation of CPS, what is the average time to change the codec in response to the changing of environment which is normal. To decide service quality metric rating is even challenging as it depends on the applications and we will implement such online quality checking for VoIP streaming.
The current CPS-GW, may have a quota for the simultaneous/continuous calls to the 3G network. Thus, the CPS-GW may have two thresholds: T1 relates to the quotas and T2 relates to the max calls number that the CPS-GW can tolerate.
Once the CPS-GW detects the number of simultaneous sessions exceed certain T1, it will report the call numbers to SDS and also send the same information to the sibling CPS gateways (if there are any).
SDS, upon reception of any such report, makes decision based on its accumulated current number of calls and its own threshold Ts and send to all CPS GW or individual GW. The decision may be
Pull other CPS GWs to report their call number if it find no abnormal situation by Ts;
Ask the CPS-GWs to block the calls.
SDS may pull all the enterprise CPS-GWs for the statistics of the accumulate sessions number to 3G networks if it detects any abnormal situations;
The CPS-GW, upon reception of any report from other CPSGW, will report to SDS in together with its own session numbers.
The CPS-GW may reject further call to 3G networks by its own decision (i.e., the call sessions exceed T2) or obey the command from SDS.
4.2. Attacks and countermeasures for Internet-Wi-Fi cross networks Internet-Wi-Fi CPS also involves the trans-signaling and transcoding which involve at least two party of protocols. Similarly, there is also the possibility of some weak nodes/ links in such cross networks that introduces vulnerabilities. Before discussing the vulnerabilities, we first present the core operations of the protocols involved in the MAC and Physical layers. Table 3 illustrates the protocols, core operating issues, threats possible, and potential countermeasures in the MAC and Physical layers of Internet-Wi-Fi cross networks.
C-NA2: Countermeasure to Malicious-formatted packet flooding (MFPF) attack: MFPF occurs when Media Transcoding from Internet to 3G network due to lacking of support to one codec. For instance, current 3G network does not support H.264 and any H.264 flow cross to 3G network requires such trans-coding. In the process of such trans-coding, maliciousformatted packets, as the payload, will pass to 3G codec for transcoding and it may not be able to decode successfully, consequently the packets will be dropped out. Even more, continuous MFPFs may cause the codec to crash as the security measures are normally not equipped into codec software. To against MFPF attack, we intend to implement a simple threshold based algorithm. The idea for the algorithm is simple, a threshold (TH) is set for the codec to call when it encountered the incoming corrupt packet in the codec operation. In case a continuous number of corruptions, the codec will decide to take a rest by dropping some portion of incoming packs. However, the number of dropping packets must be decided by some criteria. Thus the 3 parameters require further investigation to reflect the practical situation.
In the following, we present four attacks scenarios against Internet-Wi-Fi networks. The first three are cross platform attacks which are subject to protocol translation; while the last attack is a newly identified attack originated from the data translation between the access point and the mobile station. CPA1: Power Management attack: In this attack, there can be an adversary (say a malicious router) in the wired side (called Rm) that is colluding with an adversary in the wireless Wi-Fi side (called Wm). The objective is for these adversaries to intercept the communication to a legitimate station, while preventing the legitimate (i.e., victim) station from receiving any messages at all. To launch this attack, consider a malicious router (Rm) that has a direct wired connection to the Access Point of a Wi-Fi network. To launch the attack, Wm first passively monitors communications between the access points and the victim station. When Wm observes that the victim station is asleep, it informs this to Rm via certain out-of-band mechanism.
C-NA3: Countermeasure to Cross-Platform Denial of Service (CPDoS) attack: The measures against CDoS will be the most complex approach to deal with in the new found attacks. The countermeasure requires the support of SDS and the cooperation of other gateways. The procedure is outlined below for the CPS gateway:
325
Table 3. Protocols and Subsequent Threats in Internet-WiFi Cross Networks Cross-protocol (Internet-Wi-Fi)
Key operations
Attacks
802.3 (CSMA/CD) 802.11 CSMA/CA)
Medium Access Medium contention MAC layer reliability Encryption Integrity check Fragmentation Power management
TA2:Hijacking/Man in the Middle TA3: Masquerading (Station or AP), TA5: Flood (DoS), CPA1~CPA4.
Wired medium Packet Transmission (coaxial cable, twisted pair, optical fiber) Wireless medium (RF with FHSS/DSSS/ OFDM/MIMO)
Countermeasures
C2:Encryption (TKIP/CCMP), C1:Authentication (802.1X), C3:Integrity protection, Anti-replay mechanism, Sequence number check, C2:Higher layer security protocol (IPSec, TLS, etc.) C-CPA1~C-CPA3, C-NA4 TA1:Eavesdropping, C2:Encryption TA3:Packet (TKIP/CCMP), modification/deletion/replay, C1:Authentication (802.1X), TA5: injection/ C3:Integrity protection, flooding (waste resource, Anti-replay mechanism, DoS) Sequence number check
directional antennas. Packet deletion at wireless side can be achieved by interfering with the receiver using a short jam signal, while at the same time masquerading as the receiver and sending an ACK frame to the sender using directional antennas.
Immediately, Rm forwards the messages intended for the victim station to the access point, while at the same time Wm masquerades as the victim station. The malicious station Wm will change its MAC address to that of the victim station, and send PS-Poll frames to the access point claiming that it (i.e., the victim) is waking up. When the buffered incoming messages are received by Wm, it sends back ACK frames to effectively delete those messages intended for the victim in the access point. Such attack, in effect is a type of colluding DoS attack, could seriously degrade communication performance or completely disconnect the communication.
NA4: Malicious Code Injection and Traverse attack: In this attack, the attacker injects malicious code into the wireless stations (e.g., laptops) from the wireless network side. Such malicious code can then propagate to wired networks when the victim laptop communicates with other users via wired networks. For example, a laptop may be affected with malicious code when it is used in the Wi-Fi network in non-secure environments like airports. When the user later connects the laptop to the wired internet, the malicious code can propagate to the stations in the internet, resulting in large scale security compromises.
CPA2: Traffic Analysis attack: In this attack, the attacker can passively monitor the communications, and attempt to infer the communication pattern of specific user of interest. This can be achieved via either explicit identifiers (e.g., MAC address, IP address) or implicit identifiers (the size of broadcast message size, the SSID in the probe request frames, the supported transmission rates/ security algorithms, etc.) As to the explicit identifiers, the attacker (either in the wired side or wireless side) can correlate multiple messages by observing the same MAC address and/of IP address. As to the implicit identifiers, the attacker (at the wireless side) can correlate multiple seemingly uncorrelated messages by observing the unique broadcast message size, the unique SSIDs in the probe request frames, or the unique supported transmission rates/ security algorithms, etc. In this way, the attacker is able to compromise the communication privacy/anonymity of the user of the station under attack.
Countermeasures C-CPA1: Synchronization and encryption based defense: We can defend this attack at the access point side. In fact, the access point should not trust the PS-Poll frames as these frames are unencrypted and easy to forge. The access point should send buffered messages only when one of the following two conditions holds.
CPA3: Packet Modification/Deletion/Replay attack: In this attack, the attacker monitors the communications and tries to interfere with the normal communications. Packet replay can be achieved at either wired side or wireless side by storing a received packet and sending it out later, hoping to be able to pass authentication or confuse the communication between station and access point. Packet modification/deletion is easier to achieve at the wireless side, although they can also be done at the wired side at the cost of higher complexity. In the following, we illustrate these attacks at wireless side as example. Packet modification at wireless side can be achieved by interfering with the receiver using a short jam signal, while at the same time changing part of the packet and sending it to the receiver using
The attacker receives a PS-Poll frame at the beginning of the beacon interval when the station is supposed to wakeup.
The attacker receives an encrypted data frame claiming the station is waking up, and such data frame can be decrypted successfully and is not a replayed message.
In the first situation, the access point is sure that the real station is awake at the time, so that it is safe to send the buffered messages out. In the second situation, the access point is assured that such a frame comes from the real station instead of the attacker as the encryption key is only shared between the real station and the access point. C-CPA2: Hiding explicit and implicit identifiers: We can defend traffic analysis by hiding both explicit and implicit identifiers. As to the explicit identifiers such as MAC address and IP address, we can let the station update its MAC address between
326
two communication sessions, and encrypt the IP header. During the updating of MAC address, the station should negotiate with neighboring stations so that multiple nearby stations could update their MAC addresses simultaneously to defend against traffic analysis. As to the implicit identifiers such as broadcast message size, SSID and supported transmission rates/security algorithms, we can let the station pad the broadcast message to achieve homogeneous size; not send out SSID explicitly during network discovery; and not send supported transmission rates/security algorithms explicitly during the negotiation with the access point. Instead, the negotiation for supported transmission rates/security algorithms can be achieved by selecting the ones from those supported in the frames sent by the access point.
7. REFERENCES [1]. S. R. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. In Selected Areas in Cryptography, pages 1–24, 2001. [2]. Stubblefield, J. Ioannidis, and A. D. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. In Proceedings of the Network and Distributed Systems Symposium, 2002. [3]. Stubblefield, J. Ioannidis, and A. D. Rubin. A Key Recovery Attack on the 802.11b Wired Equivalent Privacy Protocol (WEP). ACM Transactions on Information and System Security, 7(2):319–332, 2004. [4]. W. A. Arbaugh, N. Shankar, and Y. J. Wan. Your 802.11 Wireless Network Has No Clothes. IEEE Wireless Communications, 9(1):44–51, 2002.
C-CPA3: Cryptographic approaches: To defend such attacks, we can use a set of security algorithms, including encryption, authentication, integrity and anti-replay. When encryption algorithm is used, the packet cannot be modified successfully by the attacker as he does not hold the encryption key. When integrity algorithm is used, a lost packet can be noticed by observing a gap in the sequence numbers of between two adjacent received packets. Such a mechanism can also help to detect replayed packet as the replayed packet has the same sequence number as the one sent out before.
[5]. J. Bellardo and S. Savage. 802.11 denial-of-service attacks: Real Vulnerabilities and Practical Solutions. In Proceedings of the USENIX Security Symposium, pages 15–27, 2003. [6]. W. Xu, T. Wood, W. Trappe, and Y. Zhang. Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service. In Proceedings of ACM Workshop on wireless Security, pages 80–89, 2004. [7]. D. B. Faria and D. R. Cheriton. Dos and Authentication in Wireless Public Access Networks. In Proceedings of ACM Workshop on Wireless Security, pages 47–56, 2002.
C-NA4: Wireless station hardening and wireless network monitoring based defense: To defend against malicious code injection attack, we can take two approaches simultaneously: hardening the wireless station and monitoring the wireless network. For hardening the wireless station, we can update the operating system and apply new patches to the wireless station (e.g., laptop), especially for wireless device drivers, to eliminate serious and well known vulnerabilities. We can also install host based firewall and anti-virus software to defend against well known attacks. Activating wireless card only when it is necessary can also decrease the chance of being affected with malicious code. For wireless network monitoring, we can deploy wireless intrusion detection and prevention system (WIDS/WIPS) to help detect malicious injection attack in real time. Such systems can be deployed in wireless stations and/or access points, or even third party monitoring sensors.
[8]. P. Bahl, R. Chandra, J. Padhye, L. Ravindranath, M. Singh, and A. Wolman. Enhancing the Security of Corporate WiFi Networks Using DAIR. In Proceedings of ACM MobiSys, 2006. [9]. D. B. Faria and D. R. Cheriton. Detecting Identity-based Attacks in Wireless Networks Using Signalprints. In Proceedings of ACM Workshop on Wireless Security, pages 43–52, 2006. [10]. J. Hall, M. Barbeau and E. Kranakis, Enhancing Intrusion Detection in Wireless Networks Using Radio Frequency Fingerprinting. Communications, Internet and Information Technology (CIIT), St. Thomas, US Virgin Islands, November 22-24, 2004.
5. CONCLUSIONS
[11]. W. Wei, K. Suh, B. Wang, Y. Gu, J. Kurose and D. Towsley. Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs. ACM SIGCOMM Internet Measurement Conference (IMC 2007), pages 365-378, San Diego, CA, October, 2007.
In this paper, we firstly address the security issue of the cross platform/network services. Based on one video conference application between 3G and Internet, we show that there exist some newly identified security gaps unexplored in the crossplatform network communications. We showed five new kinds of attacks we discover and point out in Internet-3G, and Internet-Wi-Fi cross network respectively, which stem from the protocol/signal translation, coding translation and data translation in CPS. We also presented that even the traditional attacks in Internet will brings more serious damage and complexity in detection.
[12]. 3G TS 21.133, 3G Security; Security Threats and Requirements. [13]. 3G TS 33.102, 3G Security; Security Architecture. [14]. G. M. Koien and T. Haslestad. Security Aspects of 3GWLAN Interworking. IEEE Communications Magazine, pages 82–88, 2003. [15]. M. Sher, T. Magedanz: “3G-WLAN Convergence: Vulnerability, Attacks Possibilities and Security Model” Second International Conference on Availability, Reliability and Security (ARES'07).
6. ACKNOWLEDGEMENTS The work described in this paper was fully supported by grants from the Research Grants Council of the Hong Kong Special Administrative Region, China (Project No. CityU 113906) and from CityU Strategic Research Grant (SRG) (Project No. 7002102).
327
[16]. S. Yek and C. Bolan. An Analysis of Security in 802.11b and 802.11g Wireless Networks in Perth, WA. In Australian Computer, Network & Information Forensics Conference, pages 117–124, 2004.
[19]. ITU-T Rec. H.223, Multiplexing Protocol for Low Bit Rate Mobile Multimedia Communication, July 2001. [20]. J. Bilien, E. Eliasson, J. Orrblad, and J.O. Vatn, “Secure VoIP: Call Establishment and Media Protection,” presented at the 2ndWorkshop Security Voice IP, Washington, DC, Jun. 2005.
[17]. 3GPP TS 26.111 V5.1.0, Codec for Circuit Switched Multimedia Telephony Service: Modifications to H.324, June, 2003.
[21]. RFC 3711 - The Secure Real-time Transport Protocol (SRTP).
[18]. ITU-T Rec. H.245, Control Protocol for Multimedia Communication, July 2003.
328
