1 Last class r Ethernet r Hubs and Switches r Mobile and wireless networks, CDMA Today r CDMA and IEEE wireless LANs r Network security

2 10BaseT and 100BaseT Ethernet r Uses CSMA/CD r 10/100 Mbps rate; latter called “fast ethernet” r T stands for Twisted Pair r Nodes connect to a hub: “star topology”; 100 m max distance between nodes and hub twisted pair hub

3 Interconnecting with hubs Pros: r Enables interdepartmental communication r Extends max distance btw. nodes r If a hub malfunctions, the backbone hub can disconnect it Cons: r Collision domains are transferred into one large, common domain r Cannot interconnect 10BaseT and 100BaseT hubs hub

4 Switch: traffic isolation r switch installation breaks subnet into LAN segments r switch filters packets: m same-LAN-segment frames not usually forwarded onto other LAN segments m segments become separate collision domains hub switch collision domain

5 Wireless network characteristics Multiple wireless senders and receivers create additional problems (beyond multiple access): A B C Hidden terminal problem r B, A hear each other r B, C hear each other r A, C can not hear each other means A, C unaware of their interference at B A B C A’s signal strength space C’s signal strength Signal fading: r B, A hear each other r B, C hear each other r A, C can not hear each other interferring at B

6 Overview r CDMA and IEEE wireless LANs r Network security

7 Code Division Multiple Access (CDMA) r used in several wireless broadcast channels (cellular, satellite, etc) standards r unique “code” assigned to each user; i.e., code set partitioning r all users share same frequency, but each user has own “chipping” sequence (i.e., code) to encode data r encoded signal = (original data) X (chipping sequence) r decoding: inner-product of encoded signal and chipping sequence r allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are “orthogonal”)

8 CDMA Encode/Decode slot 1 slot 0 d 1 = Z i,m = d i. c m d 0 = slot 0 channel output slot 1 channel output channel output Z i,m sender code data bits slot 1 slot 0 d 1 = -1 d 0 = slot 0 channel output slot 1 channel output receiver code received input D i =  Z i,m. c m m=1 M M

9 CDMA: two-sender interference

10 Overview r CDMA and IEEE wireless LANs r Network security

11 IEEE Wireless LAN r b m GHz unlicensed radio spectrum m up to 11 Mbps m direct sequence spread spectrum (DSSS) in physical layer all hosts use same chipping code m widely deployed, using base stations r a m 5-6 GHz range m up to 54 Mbps r g m GHz range m up to 54 Mbps r All use CSMA/CA for multiple access r All have base-station and ad-hoc network versions

LAN architecture r wireless host communicates with base station m base station = access point (AP) r Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains: m wireless hosts m access point (AP): base station m ad hoc mode: hosts only BSS 1 BSS 2 Internet hub, switch or router AP

: Channels, association r b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies m AP admin chooses frequency for AP m interference possible: channel can be same as that chosen by neighboring AP! r host: must associate with an AP m scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address m selects AP to associate with m may perform authentication [Chapter 8] m will typically run DHCP to get IP address in AP’s subnet

14 IEEE : multiple access r avoid collisions: 2 + nodes transmitting at same time r : CSMA - sense before transmitting m don’t collide with ongoing transmission by other node r : no collision detection! m difficult to receive (sense collisions) when transmitting due to weak received signals (fading) m can’t sense all collisions in any case: hidden terminal, fading m goal: avoid collisions: CSMA/C(ollision)A(voidance) A B C A B C A’s signal strength space C’s signal strength

15 IEEE MAC Protocol: CSMA/CA sender 1 if sense channel idle for DIFS then transmit entire frame (no CD) 2 if sense channel busy then - start random backoff time - timer counts down while channel idle - transmit when timer expires - if no ACK, increase random backoff interval, repeat receiver - if frame received OK return ACK after SIFS (ACK needed due to hidden terminal problem) sender receiver DIFS data SIFS ACK

16 Avoiding collisions (more) idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames r sender first transmits small request-to-send (RTS) packets to BS using CSMA m RTSs may still collide with each other (but they’re short) r BS broadcasts clear-to-send CTS in response to RTS r RTS heard by all nodes m sender transmits data frame m other stations defer transmissions Avoid data frame collisions completely using small reservation packets!

17 Collision Avoidance: RTS-CTS exchange AP A B time RTS(A) RTS(B) RTS(A) CTS(A) DATA (A) ACK(A) reservation collision defer

18 frame control duration address 1 address 2 address 4 address 3 payloadCRC seq control frame: addressing Address 2: MAC address of wireless host or AP transmitting this frame Address 1: MAC address of wireless host or AP to receive this frame Address 3: MAC address of router interface to which AP is attached Address 4: used only in ad hoc mode

19 Internet router AP H1 R1 AP MAC addr H1 MAC addr R1 MAC addr address 1 address 2 address frame R1 MAC addr AP MAC addr dest. address source address frame frame: addressing

20 hub or switch AP 2 AP 1 H1 BBS 2 BBS : mobility within same subnet router r H1 remains in same IP subnet: IP address can remain same r switch: which AP is associated with H1? m self-learning (Ch. 5): switch will see frame from H1 and “remember” which switch port can be used to reach H1

21 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures

22 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message content not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users

23 Friends and enemies: Alice, Bob, Trudy r well-known in network security world r Bob, Alice (lovers!) want to communicate “securely” r Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data Alice Bob Trudy

24 Who might Bob, Alice be? r … well, real-life Bobs and Alices! r Web browser/server for electronic transactions (e.g., on-line purchases) r on-line banking client/server r DNS servers r routers exchanging routing table updates r other examples?

25 There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! m eavesdrop: intercept messages m actively insert messages into connection m impersonation: can fake (spoof) source address in packet (or any field in packet) m hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place m denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

26 Overview What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures

27 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) plaintext ciphertext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B

28 Symmetric key cryptography substitution cipher: substituting one thing for another m monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?:  brute force (how hard?)  other?

29 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution pattern in mono alphabetic substitution cipher r Q: how do Bob and Alice agree on key value? plaintext ciphertext K A-B encryption algorithm decryption algorithm A-B K plaintext message, m K (m) A-B K (m) A-B m = K ( ) A-B

30 Symmetric key crypto: DES DES: Data Encryption Standard r US encryption standard [NIST 1993] r 56-bit symmetric key, 64-bit plaintext input r How secure is DES? m DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months m no known “backdoor” decryption approach r making DES more secure: m use three keys sequentially (3-DES) on each datum m use cipher-block chaining

31 Symmetric key crypto: DES initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation DES operation

32 AES: Advanced Encryption Standard r new (Nov. 2001) symmetric-key NIST standard, replacing DES r processes data in 128 bit blocks r 128, 192, or 256 bit keys r brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES

33 Public Key Cryptography symmetric key crypto r requires sender, receiver know shared secret key r Q: how to agree on key in first place (particularly if never “met”)? public key cryptography r radically different approach [Diffie- Hellman76, RSA78] r sender, receiver do not share secret key r public encryption key known to all r private decryption key known only to receiver

34 Public key cryptography plaintext message, m ciphertext encryption algorithm decryption algorithm Bob’s public key plaintext message K (m) B + K B + Bob’s private key K B - m = K ( K (m) ) B + B -

35 Public key encryption algorithms need K ( ) and K ( ) such that B B.. given public key K, it should be impossible to compute private key K B B Requirements: 1 2 RSA: Rivest, Shamir, Adelson algorithm + - K (K (m)) = m B B