SECURE WIRELESS LAN KEAMANAN JARINGAN PROGRAM STUDI TEKNIK TELEKOMUNIKASI FAKULTAS TEKNIK ELEKTRO TELKOM UNIVERSITY.

Slides:



Advertisements
Similar presentations
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Advertisements

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
CMSC 414 Computer and Network Security Lecture 27 Jonathan Katz.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Secure connections.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
WLAN Security1 Security of WLAN Máté Szalay
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
IP Security
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
SECURE WIRELESS LAN Keamanan Jaringan
Chapter 5 Network Security Protocols in Practice Part I
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
Security in the layers 8: Network Security.
CSE 4905 IPsec.
Encryption and Network Security
Chapter 18 IP Security  IP Security (IPSec)
WEP & WPA Mandy Kershishnik.
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
Wireless Security Ian Bodley.
ANALYSIS OF WIRED EQUIVALENT PRIVACY
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Slides have been taken from:
Virtual Private Networks (VPNs)
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
NET 536 Network Security Lecture 5: IPSec and VPN
Virtual Private Networks (VPNs)
Public-Key, Digital Signatures, Management, Security
Lecture 36.
CSE 5/7349 – February 15th 2006 IPSec.
Lecture 36.
Presentation transcript:

SECURE WIRELESS LAN KEAMANAN JARINGAN PROGRAM STUDI TEKNIK TELEKOMUNIKASI FAKULTAS TEKNIK ELEKTRO TELKOM UNIVERSITY

KERANGKA

WIRELESS LAN

WIRELESS LAN (MODE)

WLAN SECURITY

SEJARAH KEAMANAN WLAN

SEJARAH KEAMANAN WLAN (LAYANAN KEAMANAN B)

SEJARAH KEAMANAN WLAN (OTENTIKASI SISTEM TERBUKA)

SEJARAH KEAMANAN WLAN (OTENTIKASI SHARED KEY)

SEJARAH KEAMANAN WLAN (WIRED EQUIVALENT PRIVACY)

KEAMANAN WLAN (KODE RON NOMOR 4)

KEAMANAN WLAN (PENGIRIMAN WEP)

KEAMANAN WLAN (ENKRIPSI WEP)

KEAMANAN WLAN (PENERIMAAN WEP)

STATIC WEP ENCRYPTION KEY AND INITIALIZATION VECTOR (1) a secret 40-bit static key a 24-bit number Initialization Vector (IV) 64-bit WEP a secret 104-bit static key a 24-bit number Initialization Vector (IV) 128-bit WEP

STATIC WEP ENCRYPTION KEY AND INITIALIZATION VECTOR (2) Not all client stations or access points support both hex and ASCII. The static key must match on both the access point and the client device. A static WEP key can be entered as hexadecimal (hex) characters (0–9 and A–F) or ASCII characters. A 40-bit static key consists of 10 hex characters or 5 ASCII characters. A 104-bit static key consists of 26 hex characters or 13 ASCII characters. Initialization Vector (IV) is sent in cleartext and is different on every frame.

HOW DOES WEP WORK? (1)

HOW DOES WEP WORK? (2) WEP runs a cyclic redundancy check (CRC) on the plaintext data that is to be encrypted and then appends the Integrity Check Value (ICV) to the end of the plaintext data. A 24-bit cleartext Initialization Vector (IV) is then generated and combined with the static secret key. WEP then uses both the static key and the IV as seeding material through a pseudo- random algorithm that generates random bits of data known as a keystream.

HOW DOES WEP WORK? (3) The pseudo-random bits in the keystream are then combined with the plaintext data bits using a Boolean XOR process. The end result is the WEP ciphertext, which is the encrypted data. The encrypted data is then prefixed with the cleartext IV.

KERAPUHAN WEP (SERANGAN WEP PASIF)

SERANGAN WEP PASIF

KELEMAHAN IV

SERANGAN WEP AKTIF

PENGUATAN KEAMANAN WLAN

PENGUATAN KEAMANAN WLAN (IEEE 802.1X)

PENGUATAN KEAMANAN WLAN (WPA)

HOW DOES WPA WORK?

HOW WPA ADDRESSES THE WEP VULNERABILITY  WPA WRAPS RC4 CIPHER ENGINE IN FOUR NEW ALGORITHMS 1. EXTENDED 48-BIT IV AND IV SEQUENCING RULES 2^48 IS A LARGE NUMBER! MORE THAN 500 TRILLION SEQUENCING RULES SPECIFY HOW IVS ARE SELECTED AND VERIFIED 2. A MESSAGE INTEGRITY CODE (MIC) CALLED MICHAEL DESIGNED FOR DEPLOYED HARDWARE REQUIRES USE OF ACTIVE COUNTERMEASURES 3. KEY DERIVATION AND DISTRIBUTION INITIAL RANDOM NUMBER EXCHANGES DEFEAT MAN-IN- THE-MIDDLE ATTACKS 4. TEMPORAL KEY INTEGRITY PROTOCOL GENERATES PER- PACKET KEYS

PENGUATAN KEAMANAN WLAN (SERANGAN WPA PRAKTIS)

RESUME (1)

RESUME (2)

LAYERED SECURITY

EXAMPLE SECURITY PROTOCOLS APPLICATION LAYER: PGP TRANSPORT LAYER: SSL/TLS NETWORK LAYER: IPSEC DATA LINK LAYER: IEEE SECURITY AT THE PHYSICAL LAYER?

SECURITY IN WHAT LAYER? DEPENDS ON THE PURPOSE… WHAT INFORMATION NEEDS TO BE PROTECTED? WHAT IS THE ATTACK MODEL? WHO SHARES KEYS IN ADVANCE? SHOULD THE USER BE INVOLVED? E.G., A NETWORK-LAYER PROTOCOL CANNOT AUTHENTICATE TWO END-USERS TO EACH OTHER AN APPLICATION-LAYER PROTOCOL CANNOT PROTECT IP HEADER INFORMATION ALSO AFFECTS EFFICIENCY, EASE OF DEPLOYMENT, ETC.

GENERALLY… WHEN SECURITY IS PLACED AS LOWER LEVELS, IT CAN PROVIDE AUTOMATIC, “BLANKET” COVERAGE… …BUT IT CAN TAKE A LONG TIME BEFORE IT IS WIDELY ADOPTED WHEN SECURITY IS PLACED AT HIGHER LEVELS, INDIVIDUAL USERS CAN CHOOSE WHEN TO USE IT… …BUT USERS WHO ARE NOT SECURITY-CONSCIOUS MAY NOT TAKE ADVANTAGE OF IT

NOTE… THE “BEST” SOLUTION IS NOT NECESSARILY TO USE PGP OVER IPSEC! WOULD HAVE BEEN BETTER TO DESIGN THE INTERNET WITH SECURITY IN MIND FROM THE BEGINNING…

EXAMPLE: PGP VS. SSL VS. IPSEC PGP IS AN APPLICATION-LEVEL PROTOCOL FOR “SECURE ” CAN PROVIDE SECURITY ON “INSECURE” SYSTEMS USERS CHOOSE WHEN TO USE PGP; USER MUST BE INVOLVED ALICE’S SIGNATURE ON AN PROVES THAT ALICE ACTUALLY GENERATED THE MESSAGE, AND IT WAS RECEIVED UNALTERED; ALSO NON-REPUDIATION IN CONTRAST, SSL WOULD SECURE “THE CONNECTION” FROM ALICE’S COMPUTER; WOULD NEED AN ADDITIONAL MECHANISM TO AUTHENTICATE THE USER COMMUNICATION WITH OFF-LINE PARTY (I.E., )

EXAMPLE: PGP VS. SSL VS. IPSEC SSL SITS AT THE TRANSPORT LAYER, “ABOVE” TCP PACKET STREAM AUTHENTICATED/ENCRYPTED END-TO-END SECURITY, BEST FOR CONNECTION-ORIENTED SESSIONS (E.G., HTTP TRAFFIC) USER DOES NOT NEED TO BE INVOLVED THE OS DOES NOT HAVE TO CHANGE, BUT APPLICATIONS DO IF THEY WANT TO COMMUNICATE SECURELY IF TCP ACCEPTS A PACKET WHICH IS REJECTED BY SSL, THEN TCP WILL REJECT THE “CORRECT” PACKET (DETECTING A REPLAY) WHEN IT ARRIVES! SSL MUST THEN CLOSE THE CONNECTION…

EXAMPLE: PGP VS. SSL VS. IPSEC IPSEC SITS AT THE NETWORK LAYER INDIVIDUAL PACKETS AUTHENTICATED/ENCRYPTED END-TO-END OR HOP-BY-HOP SECURITY BEST FOR CONNECTIONLESS CHANNELS NEED TO MODIFY OS ALL APPLICATIONS ARE “PROTECTED” BY DEFAULT, WITHOUT REQUIRING ANY CHANGE TO APPLICATIONS OR ACTIONS ON BEHALF OF USERS ONLY AUTHENTICATES HOSTS, NOT USERS USER COMPLETELY UNAWARE THAT IPSEC IS RUNNING

IPsec

OVERVIEW IPSEC CAN PROVIDE SECURITY BETWEEN ANY TWO NETWORK-LAYER ENTITIES HOST-HOST, HOST-ROUTER, ROUTER-ROUTER USED WIDELY TO ESTABLISH VPNS IPSEC ENCRYPTS AND/OR AUTHENTICATES NETWORK-LAYER TRAFFIC, AND ENCAPSULATES IT WITHIN A STANDARD IP PACKET FOR ROUTING OVER THE INTERNET

OVERVIEW IPSEC CONSISTS OF TWO COMPONENTS IKE --- CAN BE USED TO ESTABLISH A KEY AH/ESP --- USED TO SEND DATA ONCE A KEY IS ESTABLISHED (WHETHER USING IKE OR OUT-OF-BAND) AH DATA INTEGRITY, BUT NO CONFIDENTIALITY ESP DATA INTEGRITY + CONFIDENTIALITY (OTHER DIFFERENCES AS WELL)

SECURITY POLICY DATABASE NODES MAINTAIN A TABLE SPECIFYING WHAT IS REQUIRED FOR EACH INCOMING PACKET DROP FORWARD/ACCEPT WITHOUT IPSEC PROTECTION REQUIRE IPSEC PROTECTION AUTH ONLY ENC ONLY BOTH AS WITH FIREWALLS, DECISIONS CAN BE BASED ON ANY INFORMATION IN THE PACKET

SECURITY ASSOCIATIONS (SAS) WHEN A NODE RECEIVES A PACKET, NEEDS TO KNOW WHO IT IS FROM MAY BE RECEIVING IPSEC TRAFFIC FROM MULTIPLE SENDERS AT THE SAME TIME - - POSSIBLY EVEN WITH THE SAME IP ADDRESS AN SA DEFINES A NETWORK-LAYER UNIDIRECTIONAL LOGICAL CONNECTION FOR BIDIRECTIONAL COMMUNICATION, NEED TWO SAS THE IPSEC HEADER INDICATES WHICH SECURITY ASSOCIATION TO USE

FIREWALLS… POTENTIAL PROBLEM IF UPPER-LAYER HEADER DATA IS USED FOR DECISION- MAKING; THIS INFORMATION WILL BE ENCRYPTED WHEN USING IPSEC ARGUMENTS PRO AND CON AS TO WHETHER THIS DATA SHOULD BE ENCRYPTED OR NOT: PRO: THIS DATA SHOULDN’T BE DIVULGED; GET RID OF FIREWALLS CON: ADMINISTRATORS WILL LIKELY KEEP FIREWALLS AND TURN OFF ENCRYPTION…

AH VS. ESP TWO HEADER TYPES… AUTHENTICATION HEADER (AH) PROVIDES INTEGRITY ONLY ENCAPSULATING SECURITY PAYLOAD (ESP) PROVIDES ENCRYPTION + INTEGRITY BOTH PROVIDE CRYPTOGRAPHIC PROTECTION OF EVERYTHING BEYOND THE IP HEADERS AH ADDITIONALLY PROVIDES INTEGRITY PROTECTION OF SOME FIELDS OF THE IP HEADER

TRANSPORT VS. TUNNEL MODE TRANSPORT MODE: ORIGINAL IP HEADER NOT TOUCHED; IPSEC INFORMATION ADDED BETWEEN IP HEADER AND PACKET BODY IP HEADER | IPSEC | [ PACKET ] MOST LOGICAL WHEN IPSEC USED END-TO-END protected

TRANSPORT VS. TUNNEL MODE TUNNEL MODE: KEEP ORIGINAL IP PACKET INTACT BUT PROTECT IT; ADD NEW HEADER INFORMATION OUTSIDE NEW IP HEADER | IPSEC | [ OLD IP HEADER | PACKET ] CAN BE USED WHEN IPSEC IS APPLIED AT INTERMEDIATE POINT ALONG PATH (E.G., FOR FIREWALL-TO-FIREWALL TRAFFIC) TREAT THE LINK AS A SECURE TUNNEL RESULTS IN SLIGHTLY LONGER PACKET encrypted authenticated

WHAT SHOULD YOU TAKE AWAY FROM THIS COURSE (AFTER THE FINAL)? SECURITY MIND-SET NOT LIMITED TO COMPUTERS/NETWORKS! SECURITY IS COMPLEX DRAWS ON MANY DIFFERENT DISCIPLINES NEED TO KNOW WHAT YOU ARE DOING SECURITY IS HARD, STILL EVOLVING WE DID NOT COVER SOME OF THE MOST IMPORTANT PRESENT-DAY ATTACKS: SPAM, PHISHING, DDOS, VIRUSES, … SECURITY IS CHALLENGING…BUT FUN!

REFERENCES A. PRAS, P.T. BOER, A. SPEROTTO, R. SADRE, “SECURE WIRELESS LAN”, UNIVERSITY OF TWENTE, 2012 J. KATZ, “COMPUTER AND NETWORK SECURITY”, UNIVERSITY OF MARYLAND, SPRING 2012 W. STALLINGS, “CRYPTOGRAPHY AND NETWORK SECURITY”, 6 TH ED., PRENTICE HALL, 2013

THANK YOU