Unit 6: Wireless and IP Security

IEEE 802.11 Wireless Securities:

• In 1990, the Institute of Electrical and Electronics Engineers (IEEE) initiated the 802.11
project with a scope to develop a medium access control (MAC) and physical layer (PHY)
specification for wireless connectivity for fixed, portable, and moving stations within an area.

IEEE 802.11 standard uses 2.4 GHz ISM (industrial, scientific, and medical) radio band and
provides a mandatory 1Mbps and an optional 2Mbps data transfer rate.

• IEEE ratified the 802.11a and the 802.11b wireless networking communication standards.

• IEEE 802.11b standard operates in the 2.4 ~2.5 GHz ISM band and permits transmission speed
up to 11 Mbps.

• The 802.11a standard is a high‐speed interface definition that can produce data at up to 54
Mbps and operates in the 5‐GHz frequency spectrum.

Security of IEEE 802.11

•The security services are provided largely by the Wired Equivalent Privacy (WEP) protocol.

• WEP was part of the original IEEE 802.11 wireless standard. (built in security)

•WEP protocol is used only to protect link level data during wireless transmission between
clients and the access points.

•WEP provides security for the wireless portion of the connection, but does not provide end‐to‐
end security.

Basic Security Services provided by IEEE802.11b

• Authentication: The primary goal of WEP is to provide access to the legitimate clients.

• Data confidentiality: The goal is to prevent data compromise by eavesdropping (passive

attack). Data is protected by enciphering them and allowing decryption only by clients who have
the correct WEP key.

• Data integrity: Another goal is to ensure that data is not modified in transit between the
wireless clients and the access point in an active attack.

I. 802.11 Authentication:
● Both open and closed system authentication schemes simply provide identification, as
practically, there is no true authentication.

• Both open and closed authentication schemes are highly vulnerable to attacks against even the
most novice adversaries.

II. DATA CONFIDENTIALITY

• WEP is intended to provide functionality for the wireless LAN; equivalent to that provided by
the physical security attributes inherent to a wired medium.

• WEP uses RC4 symmetric key stream cipher algorithm to generate encrypted data.

• Through the use of WEP technique, data can be protected from disclosure during transmission
over the wireless link.

• WEP is applied to all data above the 802.11 WLAN layers to protect traffic such as
Transmission Control Protocol/ Internet Protocol (TCP/IP), Internet Packet Exchange (IPX), and
Hypertext Transfer Protocol (HTTP).

III. Data Integrity

• IEEE 802.11 also offers a means to provide data integrity for messages transmitted between wireless
client and access points.

• This security service was designed to reject any message that has been modified by an active adversary
“in the middle.”

• WEP uses simple cyclic redundancy check (CRC) approach to provide data integrity.
 • A 32‐bit ICV is computed on each payload and ciphertext is generated by XORing RC4 key stream with
the concatenated ICV and payload.

• On the receiving end, decryption is performed.

• Output of the decryption process is the concatenated ICV and text output.

• The output text is then passed through the CRC generation algorithm and the computed ICV´ is then
compared with the deciphered ICV.

• If the ICVs do not match, then this would indicate an integrity violation and the received message would
be discarded.

• Unfortunately, IEEE 802.11 integrity is vulnerable to certain attacks regardless of key size.

WEP: Wired Equivalent Privacy protocol.

● WEP is a symmetric key.

• The encrypted packet is generated with a bitwise exclusive OR (XOR) of the original plaintext
with a pseudorandom key sequence of equal length.

• WEP supports cryptographic keys sizes from 40 to 104 bits

• However in practice most WLAN deployments rely on 40‐bit key.

WEP Encryption Process:

WEP Decryption Process:

WEP deciphering starts with the arrival of the message.

• The IV of the incoming message is concatenated with the shared secret key to generate the key
sequence to decipher the incoming message.

• Produced key sequence is then bitwise XORed with the received ciphertext, resulting in the
plaintext output.

• The plain text output contains the ICV and the output text.

• The output ICV is used to check the validity of the received message.

IEEE 802.11i:
IEEE 802.11i is an IEEE 802.11 amendment used to facilitate secure end-to-end communication
for wireless local area networks (WLAN). IEEE 80211i improves mechanisms for wireless
authentication, encryption, key management and detailed security. IEEE 802.11i is also known as
IEEE 802.11i-2004.

IEEE 802.11i enhances Wired Equivalent Policy (WEP), which was a defacto wireless security
standard until it was replaced by the draft version of Wi-Fi Protected Access (WPA). When
combined, IEEE 802.11i and WPA 2 form a complete wireless security protocol that includes the
Advanced Encryption Standard's (AES) block ciphering technique, four-way handshake and
group key handshake for improved authentication and access control.
IEEE 802.11i also incorporates Temporal Key Integrity Protocol (TKIP) and Counter
Mode/CBC-MAC Protocol (CCMP) for data transmission confidentiality, protection, packet
authentication and encryption.

WAP (Wireless Application Protocol):

[WAP is] the de facto worldwide standard for providing Internet communications and advanced
telephony services on digital mobile phones, pagers, personal digital assistants, and other
wireless terminals − WAP Forum.

WAP stands for Wireless Application Protocol. The dictionary definitions of these terms are as
follows –

Wireless − Lacking or not requiring a wire or wires pertaining to radio transmission.

Application − A computer program or piece of computer software that is designed to do a

specific task.

Protocol − A set of technical rules about how information should be transmitted and received
using computers.

WAP is the set of rules governing the transmission and reception of data by computer
applications on or via wireless devices like mobile phones. WAP allows wireless devices to view
specifically designed pages from the Internet using only plain text and very simple black-and-
white pictures.

WAP is a standardized technology for cross-platform, distributed computing very similar to the
Internet's combination of Hypertext Markup Language (HTML) and Hypertext Transfer Protocol
(HTTP), except that it is optimized for:

● low-display capability
● low-memory
● Low-bandwidth devices, such as personal digital assistants (PDAs), wireless phones, and
pagers.

WAP is designed to scale across a broad range of wireless networks like GSM, IS-95, IS-136,
and PDC.
Why is WAP Important?

Until the first WAP devices emerged, the Internet was a Internet and a mobile phone was a
mobile phone. You could surf the Net, do serious research, or be entertained on the Internet using
your computer, but this was limited to your computer.Now with the appearance of WAP, the
scene is that we have the massive information, communication, and data resources of the Internet
becoming more easily available to anyone with a mobile phone or communications device.

WAP being open and secure, is well suited for many different applications including, but not
limited to stock market information, weather forecasts, enterprise data, and games.

Despite the common misconception, developing WAP applications requires only a few
modifications to existing web applications. The current set of web application development tools
will easily support WAP development, and in the future more development tools will be
announced.

IP Security Architecture:

The IP security architecture (IPsec) provides cryptographic protection for IP datagrams in IPv4
and IPv6 network packets. This protection can include confidentiality, strong integrity of the
data, data authentication, and partial sequence integrity. Partial sequence integrity is also known
as replay protection.
IPsec is performed inside the IP module. IPsec can be applied with or without the knowledge of
an Internet application. When used properly, IPsec is an effective tool in securing network traffic.
IPsec provides security mechanisms that include secure datagram authentication and encryption
mechanisms within IP. When you invoke IPsec, IPsec applies the security mechanisms to IP
datagrams that you have enabled in the IPsec global policy file. Applications can invoke IPsec to
apply security mechanisms to IP datagrams on a per-socket level.

Figure, shows how an IP addressed packet, as part of an IP datagram, proceeds when IPsec has
been invoked on an outbound packet. As you can see from the flow diagram, authentication
header (AH) and encapsulating security payload (ESP) entities can be applied to the packet.
Subsequent sections describe how you apply these entities, as well as authentication and
encryption algorithms.
Figure: IPsec Applied to Outbound Packet Process
 Figure: IPsec Applied to Inbound Packet Process

IPsec Security Associations

An IPsec security association (SA) specifies security properties that are recognized by
communicating hosts. These hosts typically require two SAs to communicate securely. A single
SA protects data in one direction. The protection is either to a single host or a group (multicast)
address. Because most communication is peer-to-peer or client-to-server, two SAs must be
present to secure traffic in both directions.

The security protocol (AH or ESP), destination IP address, and security parameter index (SPI)
identify an IPsec SA. The SPI, an arbitrary 32-bit value, is transmitted with an AH or ESP
packet. The ipsecah (7P) and ipsecesp (7P) man pages explain the extent of protection that is
provided by AH and ESP. An integrity checksum value is used to authenticate a packet. If the
authentication fails, the packet is dropped.

Security associations are stored in a security association’s database. A socket-based

administration engine, the pf_key interface, enables privileged applications to manage the
database.

Key Management

A security association contains the following information:

● Material for keys for encryption and authentication

● The algorithms that can be used
● The identities of the endpoints
● Other parameters that are used by the system

SAs require keying material for authentication and encryption. The managing of keying material
that SAs require is called key management. The Internet Key Exchange (IKE) protocol handles
key management automatically. You can also manage keys manually with the ipseckey
command. SAs on IPv4 and IPv6 packets can use automatic key management.

See IKE Overview, for how IKE manages cryptographic keys automatically. See Keying
Utilities, for how you can manually manage the cryptographic keys by using the ipseckey
command. The ipseckey (1M) man page provides a detailed description of the command options.

Protection Mechanisms

IPsec provides two mechanisms for protecting data:

I. Authentication Header (AH)

II. Encapsulating Security Payload (ESP)

Both mechanisms have their own Security Association Database (SADB).

I. Authentication Header
The authentication header provides data authentication, strong integrity, and replay protection to
IP datagrams. AH protects the greater part of the IP datagram. AH cannot protect fields that
change nondeterministically between sender and receiver. For example, the IP TTL field is not a
predictable field and, consequently, not protected by AH. AH is inserted between the IP header
and the transport header. The transport header can be TCP, UDP, ICMP, or another IP header
when tunnels are being used. See the tun(7M) man page for details on tunneling.

Authentication Algorithms and the AH Module

IPsec implements AH as a module that is automatically pushed on top of IP. The /dev/ipsecah
entry tunes AH with the ndd command. Future authentication algorithms can be loaded on top of
AH. Current authentication algorithms include HMAC-MD5 and HMAC-SHA-1. Each
authentication algorithm has its own key size and key format properties

Security Considerations for AH

Replay attacks threaten an AH when an AH does not enable replay protection. An AH does not
protect against eavesdropping. Adversaries can still see data that is protected with AH.

II. Encapsulating Security Payload

The encapsulating security payload (ESP) header provides confidentiality over what the ESP
encapsulates, as well as the services that AH provides. However, ESP only provides its
protections over the part of the datagram that ESP encapsulates. ESP's authentication services are
optional. These services enable you to use ESP and AH together on the same datagram without
redundancy. Because ESP uses encryption-enabling technology, ESP must conform to U.S.
export control laws.

ESP encapsulates its data, so ESP only protects the data that follows its beginning in the
datagram. In a TCP packet, ESP encapsulates only the TCP header and its data. If the packet is an
IP-in-IP datagram, ESP protects the inner IP datagram. Per-socket policy allows self-
encapsulation, so ESP can encapsulate IP options when ESP needs to. Unlike the authentication
header (AH), ESP allows multiple kinds of datagram protection. Using only a single form of
datagram protection can make the datagram vulnerable. For example, if you use ESP to provide
confidentiality only, the datagram is still vulnerable to replay attacks and cut-and-paste attacks.
Similarly, if ESP protects only integrity, ESP could provide weaker protection than AH. The
datagram would be vulnerable to eavesdropping.

Algorithms and the ESP Module

IPsec ESP implements ESP as a module that is automatically pushed on top of IP. The
/dev/ipsecesp entry tunes ESP with the ndd command. ESP allows encryption algorithms to be
pushed on top of ESP, in addition to the authentication algorithms that are used in AH.
Encryption algorithms include Data Encryption Standard (DES), Triple-DES (3DES), Blowfish,
and AES. Each encryption algorithm has its own key size and key format properties. Because of
export laws in the United States and import laws in other countries, not all encryption algorithms
are available outside of the United States.

Security Considerations for ESP

An ESP without authentication is vulnerable to cut-and-paste cryptographic attacks and to replay

attacks. When you use ESP without confidentiality, ESP is as vulnerable to eavesdropping as AH
is.

Authentication and Encryption Algorithms

IPsec uses two types of algorithms, authentication and encryption. The authentication algorithms
and the DES encryption algorithms are part of core Solaris installation. If you plan to use other
algorithms that are supported for IPsec, you must install the Solaris Encryption Kit.

Table 1–1 Supported Authentication Algorithms

Algorithm Name Security Option Format Man Page

HMAC-MD5 md5, hmac-md5 authmd5h(7M)

HMAC-SHA-1 sha, sha1, hmac-sha, hmac-sha1 authsha1(7M)

Table 1–2 Supported Encryption Algorithms

Algorithm Name Security Option Format Man Page Package

DES-CBC des, des-cbc encrdes(7M) SUNWcsr, SUNWcarx.u

3DES–CBC or Triple-DES 3des, 3des-cbc encr3des(7M) SUNWcsr, SUNWcarx.u

Blowfish blowfish, blowfish-cbc encrbfsh(7M) SUNWcryr, SUNWcryrx

AES-CBC aes, aes-cbc encraes(7M) SUNWcryr, SUNWcryrx

CLOUD SECURITY:

Cloud security is the protection of data, applications, and infrastructures involved in cloud
computing. Many aspects of security for cloud environments (whether it’s a public, private, or
hybrid cloud) are the same as for any on-premise IT architecture.

Cloud security, also known as cloud computing security, consists of a set of policies, controls,
procedures and technologies that work together to protect cloud-based systems, data and
infrastructure. These security measures are configured to protect data, support regulatory
compliance and protect customers' privacy as well as setting authentication rules for individual
users and devices. From authenticating access to filtering traffic, cloud security can be
configured to the exact needs of the business. And because these rules can be configured and
managed in one place, administration overheads are reduced and IT teams empowered to focus
on other areas of the business.

The way cloud security is delivered will depend on the individual cloud provider or the cloud
security solutions in place. However, implementation of cloud security processes should be a
joint responsibility between the business owner and solution provider.

Like any computing environment, cloud security involves maintaining adequate preventative
protections so you:

● Know that the data and systems are safe.

● Can see the current state of security.
● Know immediately if anything unusual happens.
● Can trace and respond to unexpected events.

Cloud security offers many benefits, including:

Centralized security: Just as cloud computing centralizes applications and data, cloud security
centralizes protection. Cloud-based business networks consist of numerous devices and
endpoints. Managing these entities centrally enhances traffic analysis and filtering, streamlines
the monitoring of network events and results in fewer software and policy updates. Disaster
recovery plans can also be implemented and actioned easily when they are managed in one place.

Reduced costs: One of the benefits of utilizing cloud storage and security is that it eliminates the
need to invest in dedicated hardware. Not only does this reduce capital expenditure, but it also
reduces administrative overheads. Where once IT teams were firefighting security issues
reactively, cloud security delivers proactive security features that offer protection 24/7 with little
or no human intervention.

Reduced Administration: When you choose a reputable cloud services provider or cloud
security platform, you can kiss goodbye to manual security configurations and almost constant
security updates. These tasks can have a massive drain on resources, but when you move them to
the cloud, all security administration happens in one place and is fully managed on your behalf.

Reliability: Cloud computing services offer the ultimate in dependability. With the right cloud
security measures in place, users can safely access data and applications within the cloud no
matter where they are or what device they are using.

More and more organizations are realizing the many business benefits of moving their systems to
the cloud. Cloud computing allows organizations to operate at scale, reduce technology costs and
use agile systems that give them the competitive edge. However, it is essential that organizations
have complete confidence in their cloud computing security and that all data, systems and
applications are protected from data theft, leakage, corruption and deletion.

FORENSICS:

Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for presentation in
a court of law. The goal of computer forensics is to perform a structured investigation while
maintaining a documented chain of evidence to find out exactly what happened on a computing
device and who was responsible for it.
Forensic investigators typically follow a standard set of procedures: After physically isolating the
device in question to make sure it cannot be accidentally contaminated, investigators make a
digital copy of the device's storage media. Once the original media has been copied, it is locked
in a safe or other secure facility to maintain its pristine condition. All investigation is done on the
digital copy.

Investigators use a variety of techniques and proprietary software forensic applications to

examine the copy, searching hidden folders and unallocated disk space for copies of deleted,
encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a
"finding report" and verified with the original in preparation for legal proceedings that involve
discovery, depositions, or actual litigation.

Computer Forensic Capabilities:

• Recover deleted files

• Find out what external devices have been attached and what users accessed them

• Determine what programs ran

• Recover webpages

• Recover emails and users who read them

• Recover chat logs

• Determine file servers used

• Discover document’s hidden history

• Recover phone records and SMS text messages from mobile devices

• Find malware and data collected

Common Computer Forensic Software

• ArcSight Logger
 • Netwitness Investigator

• Quest Change Auditor

• Cellebrite

• Physical Analyzer

• Lantern

• Access Data’s Forensic Toolkit (FTK)

• EnCase Cybersecurity

• EnCase eDiscovery

• EnCase Portable

• EnCase Forensic

Mobile Forensics:

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or
data from a mobile device under forensically sound conditions. The phrase mobile device usually
refers to mobile phones; however, it can also relate to any digital device that has both internal
memory and communication ability, including PDA devices, GPS devices and tablet computers.

Mobile devices can be used to save several types of personal information such as contacts,
photos, calendars and notes, SMS and MMS messages. Smartphones may additionally contain
video, email, web browsing information, location information, and social networking messages
and contacts.

There is growing need for mobile forensics due to several reasons and some of the prominent
reasons are:

● Use of mobile phones to store and transmit personal and corporate information
● Use of mobile phones in online transactions
● Law enforcement, criminals and mobile phone devices.