Praphul Chandra

Security in Traditional Wireless Networks

This chapter discusses the security in the first generation traditional wireless networks (TWNs), in the second generation TWNs, in the 2.5 generation TWNs, and in the 3G TWNs. The key establishment procedure is used to establish a secret or key between two communicating parties. The global systems for mobile-communications (GSM) security model uses a 128-bit preshared secret key (Ki) for securing the mobile equipment (ME) to the base transceiver station (BTS) interface, that is, there is no key establishment protocol in the GSM security architecture model. Instead each subscriber identity module (SIM) is burnt or embedded with a unique Ki, that is, each subscriber has a unique Ki. As this is a “shared” secret between the subscriber and the network, thus the key is stored in the authentication center (AuC) of the network also. The AuC is a database which stores the Ki of all the subscribers. It is this shared secret (Ki) between the SIM and the AuC, that forms the basis for securing the access interface in the GSM networks.

Wireless Local Area Networks

This chapter describes the network architecture, 802.11 framing, and power management of wireless local area networks (WLANs). WLANs allow users to connect to a network without the wires. The 802.11 standard specifies protocols for the physical (PHY) and the media access control (MAC) layers of the OSI stack. The 802.11 standard specifies two network architectures: Infrastructure Basic Service Set (BSS) and Independent BSS (IBSS). In 802.11, connections work at the link layer and an 802.11 station that is connected with an access point may or may not be actively receiving or transmitting data. When a higher-layer packet is fragmented by the 802.11 MAC, all fragments have the same sequence number but each fragment is uniquely identified by a different fragment number. The frame body field is responsible for carrying packets from higher-layer protocols. The 802.11 standard defines two media access protocols: distributed coordination function (DCF) and point coordination function (PCF). One of the original design decisions of 802.11 was to have a clear interface between the MAC and PHY layers so that multiple PHY layers could be used with the same MAC. The 802.11 specification provides a power-management algorithm for stations to conserve power.

Network Security Protocols

This chapter discusses the key-related network security protocols, and the network authentication approaches and protocols. In the symmetric key cryptography (SKC), the key generation is relatively simple. The only requirement of a SKC key is that it should be random and long enough to deter a force attack. SKC relies on a preshared secret between the communication parties to secure communication between them. It does not provide the information on how to establish the “preshared” secret. Most SKC implementations use a key distribution center (KDC) to solve this problem. The KDC is a centralized trusted third party which stores keys for all the n nodes in the network, that is, each node in the system is configured with only one key—its own. This makes the key administration much easier. For two parties to communicate securely using the public key cryptography (PKC), two keys are required. These keys are comprised of the public key (available to anyone) and the private key (known only to the user). The security of the system lies in keeping the private key secret.

QoS and System Capacity

This chapter provides the solutions to the challenges of system capacity and quality of service (QoS) in some detail. WLAN Multimedia Enhancement (WME) standard is a parallel standard to 802.11e to achieve QoS in wireless local area networks (WLANs). Most networks are expected to undergo a transition path—some devices in the network support 802.11e, some support WME, others support Wi-Fi MultiMedia-Scheduled Access (WMM-SA) and yet others would be vanilla (support no QoS). Voice traffic wants minimal delay, but can tolerate certain levels of loss due to the inherent redundancy in voice. Classification of traffic is therefore a good first step toward implementing QoS. 802.11e introduces the concept of a transmission opportunity (TXOP). A TXOP is allocated either via contention or granted through polling. The Enhanced Distributed Coordination Function (EDCF) protocol has been adopted as Wireless Multimedia Enhancement (WME) by the Wi-Fi Alliance as the prestandard implementation of 802.11e. 802.11e/WME provides for admission-control mechanisms using traffic specifications.

The Data World

This chapter gives an overview of packet data networks based on the Internet protocol suite (TCP/IP). The ideas of packet switching were picked up by the Defense Department Special Projects Agency (DARPA), when researchers realized that another benefit of the technology was survivability. The network layer component of TCP/IP is the Internet Protocol (IP). This protocol forms the backbone of the Internet. The TCP/IP suite defines two transport layers—a connectionless and unreliable transport protocol known as the User Datagram Protocol (UDP), and a connection-based/reliable protocol (Transmission Control Protocol or TCP). Domain Name Look-up protocol (DNS) is an important protocol in any IP application because it provides a means to map (or resolve) a service or a device name referred to as a fully qualified domain name (FDQN) to an actual IP address and vice-versa. File Transport Protocol (FTP) is based on TCP and thus runs over a reliable transport layer. It is a request/response protocol with control messages (for example, messages that are sent by the client and server to set up, start, or stop.) defined in the protocol; all are passed in ASCII (that is, human-readable, text-character) format.

The Telephony World

This chapter explains how voice has traditionally been carried over networks. As the demand for telephone service grew and technology evolved, digital computers eventually replaced the manual operators. This not only increased the speed of switching but also led to an increase in the effective capacity of the network. To digitize speech, an analog-digital converter samples the value of the analog signal repeatedly and encodes each result in a set of bits. The media network is responsible for carrying voice traffic from one end user to another. Two types of signaling methods are used: in-band and out-of-band. In-band signaling is almost always used on the local loop, whereas out-of-band signaling is the norm within the core of the modem phone network. Phone networks are hierarchical in nature. One of the first-generation wireless cellular systems was the advanced mobile phone system (AMPS) in North America. With an estimated one billion subscribers all over the world, the most dominant second-generation technology is the global systems for mobile-communications (GSM).

Voice over IP

This chapter elaborates the working, architecture, signaling protocols, and media of Voice-over-IP (VoIP). VoIP over wireless (VoWLAN) must try to minimize bandwidth consumption, which depends on codecs and packetization periods. The public switched telephone network (PSTN) can be logically separated into a signaling subsystem and a media-transport subsystem. Using Internet to carry voice calls also requires implementing signaling and media transport. VoIP deployments can have various architectures. The simplest way to classify these architectures is to understand where voice transitions from the PSTN to the Internet. The Media Gateway Control Protocol (MGCP) does not explicitly define security, but can run over various security layers, such as IPsec and TLS. H248 or Megaco is a centralized protocol very similar to MGCP. Like MGCP, it has the concept of a call manager that is a central point of control for distributed-media endpoints. The chapter focuses on the distributed protocol, H323, which was designed for voice and other media such as video. H323 gateways interface non-H323 networks to the H323 network. The gateway is responsible for establishing connections. The Session Initiation Protocol is the current leader in standards-based VoIP call-signaling protocols. The majority of open-standard-based VoIP implementations use the Real-time Transport Protocol (RTP) for the media path.

Voice over Wi-Fi and Other Wireless Technologies

This chapter describes voice over Wi-Fi in conjunction with other wireless technologies, including proposed 802.11 extensions, cellular, WiMax, Bluetooth (BT), and conventional cordless phone systems. One characteristic of the 802.11 standard is the ever-present enhancement process. The inclusion of a voice-over Wi-Fi capability into a cell-phone handset can be viewed as the ultimate goal for voice over Wi-Fi. WiMax is a new wireless technology, defined by IEEE 802.16x standards. The core standard, 802.16, defines protocols for a broadband wireless infrastructure, operating in the 10–66 GHz frequency range. BT is radio technology geared at the 2.4–2.5835 GHz ISM unlicensed frequency band just like Wi-Fi. Digital Enhanced Cordless Telecommunications (DECT) works in the 1.9 GHz band and utilizes a time-division multiplexing approach to bandwidth allocation. The 802.22 project is working on how to use portions of the RF spectrum, currently allocated to television broadcasting, for carrying wireless data services.

Chapter 7 – Security

Publisher Summary This chapter focuses at Wired Equivalent Privacy (WEP), why it fails, and what is being done to close these loopholes. It is interesting to compare the security architecture in 802.11 with the security architecture in Traditional Wireless Networks (TWNs). 802.11 relies on preshared keys between the mobile nodes/stations and the access points (APs). WEP uses a preestablished/preshared set of keys and is used to encrypt an 802.11 Media-access control Protocol Data Unit (MPDU). To ensure that a packet has not been modified in transit, 802.11 uses an integrity check value (ICV) field in the packet. The security proposal uses the advanced encryption standard (AES) in its default mode. Just like key establishment and key hierarchy, Wi-Fi protected access (WPA) had also adopted the authentication architecture specified in 802.11i completely. The 802.11i protocol fixes many of the loopholes that were discovered in the base 802.11 security protocol. Most applications will probably end up using Internet Protocol Security (IPsec) or transport layer security (TLS)/secure sockets layer (SSL) for ensuring secure signaling and will use Secure Real-time Transport protocol (SRTP) for a secure Real-time Transport Protocol (RTP) stream in voice communication.

Chapter 8 – Roaming

Publisher Summary This chapter explains some of the existing issues with roaming in Wi-Fi networks. A mobile Wi-Fi phone, in most environments, will need to transition from one access point (AP) to another as it moves away from its current APs range. Types of roaming include Intra-ESS, Intra-ESS-with-SubnetChange, Inter-ESS, and Inter-Network. The base standard supports Intra-ESS roaming implicitly through the association/deassociation procedures. The basic 802.11 approach works well for data applications because most such applications use a reliable transport layer protocol like TCP, which conceals the delay/packet loss due to the handoff by using retransmissions. Scanning maintains a list of available candidate APs that the station (STA) can connect to, if it is disconnected, or that are candidates to connect to if the current AP connection deteriorates. Roaming decisions should be based on running-average received signal strength indication (RSSI) rather than instantaneous RSSI, because this approach prevents having too many handoffs. Achieving seamless mobility, where a phone user does not experience a noticeable loss of service during the roaming process, is possible with a carefully tuned scanning and roaming algorithm.