UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES CAPWAP System Security T. Charles Clancy clancy@cs.umd.edu Department of Computer Science University of Maryland, College Park Laboratory for Telecommunication Sciences US Department of Defense IETF 64, CAPWAP WG, November 7, 2005
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Security Protocol Hierarchy AAA Mgmt AAA SNMP AAA HTTP AC AC CAPWAP CAPWAP WTP WTP WTP WTP 802.1X 802.1X STA STA STA STA STA STA STA STA Slide 2
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Threat Model Mgmt AAA aid in service theft compromise credentials denial of service penetration risk AC eavesdrop WTP WTP service theft STA STA STA STA Slide 3
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Trust Relationships Mgmt AAA AAA Key Admin Credential MK Long-Term AC AC EAP MSK Credential PSK/Cert WTP WTP WTP WTP TK STA STA STA STA STA STA STA STA Slide 4
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } System Security • Long-Term Trust Relationships: – WTP ↔ AC (CAPWAP PSK or Certificate) – AC ↔ AAA (AAA secret / RADIUS) – STA ↔ AAA (EAP Credential) • Trust Chaining WTP ↔ AC ↔ AAA ↔ STA => WTP ↔ STA • Only as secure as the weakest link Slide 5
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Implications • Strong mutual authentication at each level • All transmitted packets MUST be protected by a keyed integrity check value to prevent forgery • Encryption only required if transmitted data is sensitive (application specific) • Eavesdropping easier on wireless links, thus encryption is RECOMMENDED Slide 6
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Crypto Security • Ciphers MUST be IND-CPA-secure SHOULD be NM- CCA-secure • Example: WEP is IND-CPA-secure (excluding FMS attack) • Example: TKIP is IND-CCA-secure (due to Michael flaws ) Chosen Plaintext Chosen Ciphertext Most Secure Non-Malleable Strong MAC NM-CPA NM-CCA Indistinguishable IND-CPA IND-CCA Least Secure Good Crypto Slide 7
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Good Ciphers and MACs • Good Ciphers: AES-CCMP, RSA-OAEP • Good MACs: AES-CBC-MAC, HMAC-SHA1 • Replay prevention – Approach 1: have MAC cover packet header (AES- CCMP) – good – Approach 2: require strong, randomly initialized, incrementing IV – better – Approach 3: include a randomly initialized, explicit sequence number (DTLS) – best Slide 8
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Attack Containment AAA Unaffected Nodes AC AC Compromise WTP WTP WTP WTP Affected Nodes STA STA STA STA STA STA STA STA Slide 9
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } Implications • To mitigate and contain compromises: – Each AC must have a unique shared secret with each AAA server – Each WTP must have a unique PSK or certificate for each AC – Each STA must have a unique TK with each WTP and unique MSK with each AC • Handoffs between WTPs MUST derive a fresh TK • 802.11i: execute a new four-way handshake • Handoffs between ACs MUST derive a fresh MSK • 802.11i: reauthenticate Slide 10
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } CAPWAP Management • Upper-layer management features: – SNMP interface – Firmware updates • Must be strongly and mutually authenticated • Management should be executed via the AC – Maintain hierarchy, preserve security properties – Single, centralized authentication point – Single point of failure, DoS possibility • AC provides SNMP front end to the CAPWAP management protocol Slide 11
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } CAPWAP Protocol Requirements • Need authentication – Symmetric key size ≥ 128 bits – Public key size ≥ 2048 bits – Explicit mutual authentication with key confirmation (prevent DoS) – Unique credentials for each WTP • Need authorization – Must authorize WTPs connecting to ACs – Possessing a certificate signed by someone is not sufficient for authorization Slide 12
UMD D EPARTMENT OF D O D L ABORATORY FOR C OMPUTER S CIENCE T ELECOMMUNICATION S CIENCES { } CAPWAP Security Interactions • Need CAPWAP protocol policy such that: – AC ↔ AAA • Authentication is unique, strong, mutual, and explicit • Communications protected by strong ciphersuite – STA ↔ AAA • Authentication is unique, strong, mutual, and explicit • Communications protected by strong ciphershite – STA ↔ WTP • Communications protected by strong ciphersuite • WEP is NOT RECOMMENDED – Management ↔ AC • Authentication is unique, strong, mutual, and explicit • Communications protected by strong ciphershite Slide 13
Recommend
More recommend
