Computer and Communication Networks (paperback)
10.7. Security of IP and Wireless Networks
This section presents a case study of some of the security policies adopted for the Internet Protocol (IP) and basic wireless technologies. We start with IPsec, a standard for the IP layer. 10.7.1. IP Security and IPsec
Between any two users with a TCP/IP connection are multiple secure layers of security. A number of fields are appended to an IP packet when it is ready to undergo the security implementation. IP security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets at the IP layer. Figure 10.6 illustrates an encrypted and authenticated IP packet. An IPsec authentication header has the following fields.
Figure 10.6. IPsec authentication header format
IPsec provides enhanced security features, such as better encryption algorithms and more comprehensive authentication. In order for IPsec to work, both sender and receiver must exchange public encryption keys. IPsec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet; the transport mode encrypts the payload. IPsec can encrypt data between devices: router to router, security device to router, PC to router, and PC to server. 10.7.2. Security of Wireless Networks and IEEE 802.11
Wireless networks are particularly vulnerable because of their nonwired infrastructure. Intruders can access wireless networks by receiving radio waves carrying packets and frames propagated beyond the needed range of the network's base station and hosts . Our focus here is the security mechanisms for the wireless 802.11 standards known as wired equivalent privacy (WEP). This section also describes types of security features desired for IEEE 802.11a, b, and i. WEP provides a level of security similar to that found in wired networks. It is a standard of security for IEEE 802.11a and b and offers authentication and data encryption between a host and a wireless base station, using a secret shared key. The essence of this protocol between a host and a base station (wireless access point) is as follows .
Figure 10.7 shows how data is encrypted. First, a 40-bit secret key, k , known by both the host and the base station, is created. A 24-bit initialization field to be used to encrypt a single frame is appended to this key. The initialization field is different for each frame. Figure 10.7. Security implementation in wireless IEEE 802.11
As shown in the figure, a 4-byte CRC field is computed for the data payload. The payload and the CRC bytes are then encrypted. The encryption algorithm produces a stream of key values: k 1 , k 2 , ..., k i , ..., k n - 1 , k n . Assume that the plaintext is partitioned into i bytes. Let c i be the i th byte of the ciphertext and m i be the i th byte of the plaintext; the encryption is done by using k i , as follows: Equation 10.21
To decrypt the ciphertext, the receiver uses the same secret key as the sender used, appends the initialization field to it, and calculates Equation 10.22
WEP is simple and relatively weak. The procedure for security of IEEE 802.11i is different because of its more sophisticated characteristics. This standard specifies an authentication server for the base-station communication. The separation of the authentication server from the base station means that the authentication server can serve many base stations . A new protocol, called Extensible Authentication Protocol (EAP), specifies the interaction between a user and an authentication server (IEEE 802.11i). To summarize the IEEE 802.11i security mechanism: A base station first announces its presence and the types of security services it can provide to the wireless users. This way, users can request the appropriate type and level of encryption or authentication. EAP frames are encapsulated and sent over the wireless link. After decapsulation at the base station, the frames are encapsulated again, this time using a protocol called RADIUS for transmission over UDP to the authentication server. With EAP, public-key encryption is used, whereby a shared secret key known only to the user and the authentication server is created. The wireless user and the base station can also generate additional keys to perform the link-level encryption of data sent over the wireless link, which makes it much more secure than the one explained for 802.11a, b. |